REPORT  DOCUMENTATION  PAGE 


Form  Approved 
OMB  No.  0704-0188 


Public  reporting  burden  for  *iis  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources, 
gathering  and  maintaining  tie  data  needed,  and  completino  and  reviewing  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this 
collection  of  information,  including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson 
Davis  Highway,  Suite  1204,  Arlington,  VA  22202-4302,  and  to  the  Office  of  Management  and  Budget,  Paperwork  Reduction  Project  (0704-0188],  Washington,  DC  20503. _ 

1.  AGENCY  USE  ONLY  (Leave  blank)  12.  REPORT  DATE  3.  REPORT  TYPE  AND  DATES  COVERED 

15.Jul.02 _ THESIS 


4.  TITLE  AND  SUBTITLE 

THE  HIPAA  PRIVACY  RULE’S  IMPACT  ON  THE  COST,  ACCESS,  AND 
QUALITY  OF  HEALTH  CARE 


5.  FUNDING  NUMBERS 


6.  AUTHOR(S) 

MAJ  TRIPP  CHARLES  H 


7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

SETON  HALL  UNIVERSITY 


8.  PERFORMING  ORGANIZATION 
REPORT  NUMBER 

CI02-156 


9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

THE  DEPARTMENT  OF  THE  AIR  FORCE 
AFIT/CIA,  BLDG  125 
2950  P  STREET 
WPAFB  OH  45433 


10.  SPONSORING/MONITORING 
AGENCY  REPORT  NUMBER 


11.  SUPPLEMENTARY  NOTES 

1 2a.  DISTRIBUTION  AVAILABILITY  STATEMENT 

Unlimited  distribution 

In  Accordance  With  AFI  35-205/ AFIT  Sup  1 

12b.  DISTRIBUTION  CODE 

13.  ABSTRACT  ( Maximum  200  words) 

DISTRIBUTION  STATEMENT  A  1  a  a  a  *  , 

Approved  for  Public  Release  1  /MM/ 

Distribution  Unlimited  “  "  "  “ 

0829  032 

15.  NUMBER  OF  PAGES 

66 


16.  PRICE  CODE 


17.  SECURITY  CLASSIFICATION  I  18.  SECURITY  CLASSIFICATION  I  19.  SECURITY  CLASSIFICATION  120.  LIMITATION  OF  ABSTRAC  i 
OF  REPORT  OF  THIS  PAGE  OF  ABSTRACT 


Standard  Form  298  (Rev.  2-89)  (EG) 

Prescribed  by  ANSI  Std.  239.18 

Designed  using  Perform  Pro,  WHS/DIOR,  Oct  94 


Chuck  Tripp 


THESIS  TOPIC: 

THE  HIPAA  PRIVACY  RULE’S  IMPACT 
ON  THE  COST,  ACCESS  AND  QUALITY  OF  HEALTH  CARE 

Congress  recognized  the  need  for  national  patient  record  privacy  standards  in 
1996  when  they  enacted  the  Health  Insurance  Portability  and  Accountability  Act  of  1996 
(HIPAA).  While  the  law  included  provisions  designed  to  save  money  for  health  care 
businesses  by  encouraging  electronic  transactions,  it  also  required  new  safeguards  to 
protect  the  security  and  confidentiality  of  that  information.  The  law  gave  Congress  until 
August  21, 1999  to  pass  comprehensive  health  privacy  legislation.  When  that  did  not 
happen,  the  law  required  the  Department  of  Health  and  Human  Services  (HHS)  to  craft 
such  protections  by  regulation  -  The  Privacy  Rule.  The  initial  proposed  regulations  were 
published  in  November  1999  and  attracted  over  52,000  comments.  The  final  rule  was 
published  in  December  2000  with  an  effective  date  of  April  14, 2001.  As  required  by  law 
most  covered  entities  have  two  years  -  until  April  14, 2003  to  comply  with  the  final  rule's 
provisions. 

The  Final  Privacy  Rule  applies  to  health  plans,  health  care  clearinghouses,  and 
those  health  care  providers  who  transmit  any  health  information  electronically.  The  main 
provisions  of  the  "Rule"  are:  Consent  (45  CFR  §  164.506),  the  Minimum  Necessary 
Standard  (45  CFR  §§  164.502(b),  164.514(d)),  Business  Associates  (45  CFR  §§  160.103, 
1164.502(e),  164.514(e)),  Marketing  (45  CFR  §§  164.501, 164.514(e)),  and  Government 
Access  to  Health  Information  (45  CFR  §§160.300, 164.512(b),  164.512(f).  For  the 


purposes  of  my  paper,  I  will  focus  on  the  Consent  and  Minimum  Necessary  Standard 
provisions  because  they  appear  to  have  the  greatest  potential  impact  on  the  cost,  access, 
and  quality  of  health  care. 

The  consent  requirement  provides  that  a  covered  health  care  provider  must  obtain 
the  individual's  consent  prior  to  using  or  disclosing  protected  health  information  to  carry 
out  treatment,  payment,  or  health  care  operations.  However,  consent  is  not  required  for 
providers  who  have  an  indirect  treatment  relationship  such  as  a  radiologist.  Further,  a 
provider  may  forgo  prior  consent  when  providing  emergency  treatment,  when  required  by 
law  to  treat  the  individual,  and  the  provider  is  unable  to  obtain  such  consent,  or  in 
instances  of  severe  communications  barriers  where  the  provider  in  exercising  his 
professional  judgment  finds  that  the  individual's  consent  is  inferred.  The  regulation 
allows  a  covered  health  care  provider  to  condition  treatment  on  the  provision  of  the 
individual's  consent.  It  further  allows  the  individual  to  revoke  his/her  consent,  except  to 
the  extent  that  the  covered  entity  has  taken  action  in  reliance  of  it. 

The  consent  requirement  has  engendered  a  fair  amount  of  concern  from  a  variety 
of  interested  parties  as  evidenced  in  my  review  of  testimonies  before  the  National 
Committee  on  Vital  and  health  Statistics  Subcommittee  on  Privacy  and  Confidentiality. 
Two  representative  entities  are  Kaiser  Permanente  and  the  American  Pharmaceutical 
Association.  A  spokesperson  for  Kaiser  Permanente  stated  that  the  consent  requirement 
would  create  unintended  but  significant  barriers  to  the  delivery  of  health  care  services  to 
their  8.2  million  members.  She  emphasized  the  administrative  burden  of  obtaining  the 
consents  as  well  as  the  life  threatening  implications  of  not  having  the  consent  in  place. 
She  further  stated  that  an  additional  concern  of  theirs  is  that  because  the  regulation  allows 


health  care  providers  to  condition  treatment  on  the  provision  of  the  individual's  consent, 
the  consent  does  not  provide  patients  a  truly  informed  and  voluntary  choice.  A 
spokesperson  for  the  American  Pharmaceutical  Association  stated  that  the  prior  consent 
requirement  erects  significant  barriers  to  the  quick,  efficient,  and  safe  delivery  of  health 
care  that  patients  count  on  pharmacists  to  provide.  Pharmacies  will  have  to  have  consent 
forms  in  hand  before  they  are  allowed  to  dispense  needed  medications.  Perhaps  a  greater 
concern  appears  in  the  event  of  a  needed  recall  of  a  medication.  Pharmacists  are 
concerned  with  what  would  happen  in  that  situation  for  people  who  have  either  not 
submitted  consent  or  have  revoked  their  consent. 

The  minimum  necessary  standard  requires  a  covered  entity  to  make  reasonable 
efforts  to  limit  protected  health  information  to  the  minimum  necessary  to  accomplish  the 
intended  purpose  of  the  use,  disclosure,  or  request.  This  requirement  does  not  apply  to 
disclosures  to  or  requests  by  a  health  care  provider  for  treatment,  disclosures  to  the 
individual  who  is  the  subject  of  the  information,  disclosures  made  to  the  Secretary  of 
Health  and  Human  Services,  and  uses  or  disclosures  that  are  required  by  law.  For  routine 
and  recurring  disclosures  of  protected  health  information,  the  covered  entity  must 
implement  policies  and  procedures  that  limit  the  protected  health  information  to  the 
amount  reasonably  necessary  to  achieve  the  purpose  of  the  disclosure.  For  non-recurring 
disclosures,  the  covered  entity  must  develop  criteria  to  limit  the  protected  health 
information  being  disclosed,  and  review  requests  for  disclosure  on  an  individual  basis  in 
accordance  with  such  criteria.  The  regulation  further  provides  that  a  covered  entity  may 
rely,  if  such  reliance  is  reasonable  under  the  circumstances,  on  a  requested  disclosure  as 
the  minimum  necessary  for  the  stated  purpose  when  the  request  is  made  by  a  public 


official,  another  covered  entity,  a  professional  who  is  a  workforce  member  or  business 
associate  of  the  covered  entity  holding  the  information,  or  a  researcher  with  appropriate 
documentation  from  an  Institutional  Review  Board  (IRB)  or  Privacy  Board. 

The  minimum  necessary  standard  has  also  stimulated  concern.  A  spokesperson 
for  the  Health  Insurance  Association  of  America  (HIAA)  testifying  before  the  National 
Committee  on  Vital  and  health  Statistics  Subcommittee  on  Privacy  and  Confidentiality, 
stated,  "Because  the  minimum  necessary  standard  is  inherently  vague,  we  are  concerned 
that  it  will  lead  to  "defensive"  restrictions  on  the  flow  of  information  between  providers 
and  health  plans  due  to  fears  about  the  legal  risk  of  disclosing  information.  We  believe 
this  may  have  negative  consequences  for  the  quality  and  affordability  of  health  care."  He 
stated,  additionally,  that  the  minimum  necessary  standard  will  be  very  costly  to 
implement,  up  to  $19.8  billion  over  five  years  for  hospitals  alone.  A  spokesperson  for  the 
American  Association  of  Health  Plans  (AAHP),  also  testifying  before  the  subcommittee, 
stated,  "If  the  privacy  rule  is  at  all  vague  or  ambiguous  about  what  a  health  plan  may  do, 
the  plaintiffs  bar  will  use  it  as  a  weapon."  He  recommended  that  HHS  clarify  the 
guidance  to  say  that  the  standard  is  satisfied  so  long  as  the  covered  entity  reasonably 
believes  that  the  information  is  necessary  to  perform  the  task  at  hand. 

The  privacy  rule,  while  it  is  a  final  rule,  is  subject  to  modification.  Based  on  my 
research  to  date,  I  expect  that  modifications  are  imminent.  A  noted  aim  of  HHS  is  that 
the  privacy  protections  not  interfere  with  a  patient's  access  to  or  the  quality  of  health  care 
delivery.  My  paper,  while  focusing  on  the  above  two  provisions  of  the  Privacy  Rule,  will 
analyze  the  concerns  of  interested  parties,  measure  them  against  the  actual  provisions  in 
the  regulation,  and  will  propose  a  means  of  implementing  the  rule  that  will  best  protect 


the  individually  identifiable  health  information  while  minimizing  its  impact  on  the  cost, 
access  and  quality  of  health  care. 


THESIS 
Chuck  Tripp 
15  Nov  01 


THE  HIPAA  PRIVACY  RULE'S  IMPACT 
ON  THE  COST,  ACCESS,  AND  QUALITY  OF  HEALTH  CARE 


I.  INTRODUCTION: 

Congress  recognized  the  need  for  national  patient  record  privacy  standards  in 
1996  when  they  enacted  the  Health  Insurance  Portability  and  Accountability  Act  of  1996 
(HIPAA).  While  the  law  included  provisions  designed  to  save  money  for  health  care 
businesses  by  encouraging  electronic  transactions,  it  also  required  new  safeguards  to 
protect  the  security  and  confidentiality  of  that  information.  The  law  gave  Congress  until 
August  21,  1999  to  pass  comprehensive  health  privacy  legislation.  When  that  did  not 
happen,  the  law  required  the  Department  of  Health  and  Human  Services  (HHS)  to  craft 
such  protections  by  regulation  -  The  Privacy  Rule.  The  initial  proposed  regulations  were 
published  in  November  1999  and  attracted  over  52,000  comments.  The  final  rule  was 
published  in  December  2000  with  an  effective  date  of  April  14, 2001.  As  required  by  law 
most  covered  entities  have  two  years  -  until  April  14,  2003  to  comply  with  the  final  rule's 
provisions. 

The  Privacy  Rule  has  engendered  a  great  deal  of  response  from  the  health  care 
community,  as  evidenced  by  the  52,000  comments  mentioned  above.  Seemingly,  every 
part  of  the  community  from  health  care  providers,  insurers,  pharmacists,  to  health-related 
advocacy  groups  have  voiced  both  support  and  concern  over  the  then  proposed  Privacy 
Rule.  This  paper  will  first  analyze  the  Privacy  Rule,  discussing  the  make-up  of  the 
regulation,  defining  the  "words  of  art"  terms,  and  reviewing  the  proposed  benefits  and 
costs  associated  with  the  implementation  of  the  Rule.  The  paper  will  then  focus  on  three 
key  aspects  of  the  Rule  that  appear  to  have  the  greatest  potential  affect  on  the  cost, 
access,  and  quality  of  care  - 1)  the  Consent  Requirement,  2)  the  Minimum  Necessary 
Requirement,  and  3)  the  lack  of  Federal  Preemption.  In  discussing  these  three  aspects  of 
the  Rule,  I  will  discuss  the  concerns  voiced  by  the  various  segments  of  the  health  care 
community,  and  their  recommendations  for  making  the  Rule  easier  to  live  with  while 
maintaining  it's  overarching  purpose  of  protecting  personal  health  information.  The 
paper  will  then  briefly  discuss  the  ongoing  proposed  modifications  to  the  Rule,  based  on 
the  voiced  concerns.  Finally,  I  will  propose  my  recommendations  for  implementation  of 
the  Rule  -  that  will  aim  to  maximize  the  goal  of  the  Rule,  while  minimizing  the 
associated  effects  on  the  costs,  access,  and  quality  of  care. 


1 


II.  THE  PRIVACY  RULE: 


The  goal  of  the  Privacy  Rule  is  to  protect  individuals'  rights  to  privacy  in  matters 
involving  their  health  care.  It  stems  from  a  concern  that  if  individuals  are  worried  about 
the  privacy  of  their  health  care  information,  they  may  withhold  important  information 
from  their  health  care  providers  which  may  be  necessary  for  their  care.  Complex  Privacy 
Regulations  Have  Far  Reaching  Impact,  13  Health  Lawyer  1,  April  2001  (#24)  It  has 
also  been  noted  that  in  order  to  protect  their  privacy  and  avoid  embarrassment,  stigma 
and  discrimination,  individuals  have  withheld  information  from  their  health  care 
providers,  provided  inaccurate  information,  paid  out  of  pocket  for  care  that  is  covered  by 
insurance  and,  in  some  instances,  avoided  care  altogether  -  The  Privacy  Rule  was 
promulgated  to  create  a  uniform,  strong  national  standard  to  allay  the  concern  of  health 
care  consumers  (patients).  Frequently  Asked  Questions  about  HIPAA, 
http://wn>w.  hipaantidote. com/faq.  asp  (#3) 

The  Privacy  Rule  is  the  first  comprehensive  federal  protection  for  privacy  of  health  care 
information.  Standards  for  Privacy  of  Individually  Identifiable  Health  Information, 
Office  of  Civil  Rights,  http://aspe.  os.  dhhs.gov/admnsimp/final/pvcsuidel.htm  (#6) 

Because  of  its  federal  reach,  the  Privacy  Rule  establishes  a  threshold  that  must  be  met  in 
every  jurisdiction.  John  Kelley , HIPAA  Privacy  Rule  Guidelines,  The  Internet  Law 
Journal,  htto://www. tilj. com/content/healtharticle0904 0[ OLhtm  (#42) 

The  Privacy  Rule  applies  only  to  covered  entities  -  health  plans,  health  care 
clearinghouses,  and  health  care  providers  who  transmit  certain  health  information 
electronically.  45  CFR  §  160.502.  The  focal  point  of  the  privacy  rule  is  the  general 
prohibition  on  the  dissemination  of  personal  health  care  information.  The  rule  states  that 
"a  covered  entity  may  not  use  or  disclose  protected  health  information  except  as 
permitted  or  required"  by  the  rule.  45  CFR  §  164.502. 

The  main  provisions  of  the  "Rule"  are:  Consent  (45  CFR  §  164.506),  the  Minimum 
Necessary  Standard  (45  CFR  §§  164.502(b),  164.514(d)),  Business  Associates  (45  CFR 
§§  160.103, 1164.502(e),  164.514(e)),  Marketing  (45  CFR§§  164.501, 164.514(e)), 
Government  Access  to  Health  Information  (45  CFR  §§160.300, 164.512(b),  164.512(f), 
and  Preemption  (45  CFR,  Subpart  B). 


A.  DEFINITION  OF  KEY  TERMS 

In  this  section  I  will  provide  the  definitions  of  key  terms  in  the  rule  - 
Definitions  are  found  in  the  regulations  at  45  CFR  §§  160.103,  160.202,  and 
164.501. 

45  CFR  §  160.103  definitions:  Business  Associate,  Compliance  Date, 
Covered  entity,  Health  Care,  Health  care  clearinghouse,  and  Health 
information,  Health  Plan. 


2 


45  CFR  §  160.202  definitions:  Contrary,  and  More  stringent. 

45  CFR  §  164.501  definitions:  Disclosure,  Indirect  treatment  relationship. 
Individually  identifiable  health  information,  Law  enforcement  official, 
Marketing,  Payment,  Protected  health  information,  Treatment,  and  Use. 

These  selected  definitions  are  critical  in  the  understanding  of  the  Privacy 
Rule. 


B.  BENEFITS  OF  THE  PRIVACY  RULE 

The  main  benefit  and  stated  goal  of  the  Privacy  Rule  is  the  protection  of 
personal  health  information.  Not  so  much  because  that  is  the  end  in  and  of 
itself,  but  because  the  protection  of  that  information  will  have  far  reaching 
effects  on  health  care  mainly  as  a  result  of  quieting  the  concerns  of 
patients  about  their  concerns  regarding  their  health  information. 

The  Rule  will  improve  the  quality  of  care  and  the  patient/provider 
relationship.  As  noted  above,  concerns  about  lack  of  privacy  now  drive  a 
wedge  between  patients  and  their  providers  and  impede  the  provision  of 
quality  of  care  because  patients  withhold  information,  avoid  asking  certain 
questions,  or  fail  to  seek  care  altogether.  Myths  and  Facts  about  the 
HIPAA  Privacy  Regulation,  HIPAAdvisory, 
http://www.  hipaadvisory.  com/views/Patient/myths.  htm  (#30) 

Under  the  Rule,  patient  will  have  significant  new  rights  to  understand  and 
control  how  their  health  information  is  used: 

Patient  education  on  privacy  protections  -  Providers  and  health  plans  will 
be  required  to  give  patients  a  clear  written  explanation  of  how  the  covered 
entity  may  use  and  disclose  their  health  information. 

Ensuring  patient  access  to  their  medical  records  -  Patients  will  be  able  to 
see  and  get  copies  of  their  records,  and  request  amendments.  Also,  a 
history  of  non-routine  disclosures  must  be  made  accessible  to  patients. 

Receiving  patient  consent  before  information  is  released  -  Health  care 
providers  who  see  patients  will  be  required  to  obtain  patient  consent 
before  sharing  their  information  for  treatment,  payment  and  health  care 
operations.  In  addition,  separate  patient  authorization  must  be  obtained 
for  non-routine  disclosures  and  most  non-health  care  purposes.  Patients 
will  have  the  right  to  request  restrictions  on  the  uses  and  disclosures  of 
their  information. 

Providing  recourse  if  privacy  protections  are  violated  -  People  will  have 
the  right  to  file  a  formal  complaint  with  a  covered  provider  or  health  plan, 


3 


or  with  HHS,  about  violations  of  the  provisions  of  this  rule  or  the  policies 
and  procedures  of  the  covered  entity. 

Protecting  the  Privacy  of  Patients'  Health  Information,  HHS  Fact  Sheet, 
http://www.  hhs.gov/news/press/2001pres/OJfsprivacy.  html  (#5) 

Regarding  consent,  this  is  the  first  time  that  federal  law  has  established  the 
principle  that  medical  information  may  not  be  disclosed  without  the 
consent  of  the  patient.  Ronald  Weich,  Legislative  Consultant  to  the 
American  Civil  Liberties  Union,  National  Committee  on  Vital  and  Health 
Statistics,  Subcommittee  on  Privacy  and  Confidentiality,  August  22,  2001 
(#14) 

C.  COSTS  OF  THE  PRIVACY  RULE 

Some  note  that  the  costs  of  implementing  the  privacy  standards  will  dwarf 
the  costs  of  both  the  security  and  administrative  transactions  standards 
(also  part  of  HIPAA).  Comment  #  1788i,  Comments  on  NPRM: 

Standards  for  Privacy  of  Individually  Identifiable  Health  Information,  Use 
and  Disclosure  for  Treatment,  Payment,  and  Health  Care  Operations. 
(#32)  The  costs  will  obviously  be  able  to  be  measured  monetarily,  but  they 
will  also  be  able  to  be  measured  by  the  administrative  burden. 

Full  compliance  carries  a  significant  and  time-consuming  administrative 
burden.  An  entity  covered  under  the  Rule  is  required  to  develop  and 
implement  a  compliance  plan  that  includes  policies  and  procedures 
regarding:  the  use  and  disclosure  of  protected  health  information  (PHI); 
the  revocation  of  consents  and  authorizations,  disclosures  to  Business 
Associates;  disclosures  to  personal  representatives  of  individuals; 
disclosures  by  workforce  members,  including  whisteblowers;  compliance 
with  rules  regarding  the  release  of  the  minimum  amount  of  information; 
creation  of  de-identified  information;  accountings;  access  to  health 
information;  and  retention  of  information.  Frequently  Asked  Questions 
about  HIPAA  (#3) 

Originally,  HHS  predicted  that  the  proposed  rule  would  cost  providers  and 
insurers  $1 .8  to  $3.6  billion.  They  now  predict  costs  over  a  10-year  period 
will  be  about  $17.6  billion.  Others  put  the  cost  at  $40  billion  over  the  first 
5  years.  Implications  of  the  New  Privacy  Standards  for  Healthcare 
Institutions,  Healthcare  Financial  Management,  June  1,  2001.  (#22) 

The  rule  is  likely  to  have  the  most  significant  impact  on  smaller 
institutions  and  not-for-profit  hospitals  (#22)  "One  time"  costs  for 
hardware  and  security  implementation  are  not  insignificant  costs  when 
they  may  approach  10%  or  more  of  a  hospital's  operating  budget.  (#32) 

The  largest  portion  of  the  compliance  expense  will  be  the  costs  associated 
with  the  requirement  of  having  a  privacy  officer  and  the  implementation 


4 


of  the  minimum  necessary  standard.  For  privacy  officer  it  is  expected  to 
cost  $723  million  in  the  first  year  with  a  10  year  cost  of  $5.9  billion.  The 
minimum  necessary  standard  is  expected  to  cost  $926  million  in  the  first 
year  with  a  10  year  cost  of  5.8  billion.  (#22) 

III.  THE  CONSENT  REQUIREMENT: 

Consent  is  perhaps  the  biggest  change  from  the  proposed  rule  because  the 
proposed  rule  did  not  require  consent  for  treatment,  payment  or  health  care  operations. 
John  Christiansen,  Preliminary  Analysis  of  HIPAA  Privacy  Regulations:  Information 
Privacy  and  Processes,  January  2,  2001  (#40) 

The  Privacy  Rule  establishes  a  federal  requirement  that  most  doctors,  hospitals,  or  other 
health  care  providers  obtain  a  patient's  written  consent  before  using  or  disclosing  the 
patient's  personal  health  information  to  carry  out  treatment,  payment,  or  health  care 
operations  (TPO).  (#6)  General  provisions  for  consent  are  also  listed  in  #6  and  will  be 
discussed  in  the  paper. 

Health  care  providers  must  obtain  consent  from  the  individual  to  use  or  disclose  PHI  for 
purposes  of  TPO.  For  the  most  part,  other  covered  entities  are  not  required  to  obtain 
consent  to  use  or  disclose  PHI  to  carry  out  TPO  (#24) 

The  consent  form,  itself,  may  be  written  in  general  terms,  but  must  inform  the  patient  that 
protected  health  information  may  be  used  for  treatment,  payment,  or  health  care 
operations.  It  must  also  advise  that  the  patient  has  the  right  to  review  the  privacy  notice 
prior  to  signing  the  consent.  The  consent  must  also  state  that  the  entity  has  reserved  the 
right  to  change  its  privacy  practice. .  .(#24) 

The  consent  must  be  maintained  for  6  years  (#6). 

Health  care  providers  may  condition  treatment  on  the  individual  providing  consent  (#6). 

A  Pharmacist  may  use  professional  judgment  and  experience  with  common  practice  to 
make  reasonable  inferences  of  patient's  best  interests  in  allowing  a  person  other  than  the 
patient  to  pick  up  a  prescription.  45  CFR  164.510(b). 

The  following  are  exempt  from  the  consent  requirement:  emergency  treatment  situations, 
but  covered  entity  must  attempt  to  obtain  consent  as  soon  as  reasonably  practicable  after 
the  emergency  care.,  when  provider  is  required  by  law  to  provide  the  PHI,  for  law 
enforcement  or  other  government  purposes.  Also  indirect  treatment  providers  do  not 
need  consent  to  use  PHI  because  they  deliver  services  based  on  the  orders  of  other 
providers  and  the  results  of  those  services  are  furnished  to  the  patient  through  the  direct 
treating  provider.(#6) 

Authorizations  are  differentiated  from  consent  -  Authorizations  are  a  more  customized 
document  that  gives  covered  entities  permission  to  use  specified  PHI  for  specified 
purposes,  which  are  generally  other  than  TPO,  or  to  disclose  PHI  to  a  third  party 


5 


specified  by  the  individual.  Covered  entities  may  not  condition  treatment  on  the 
individual  providing  an  authorization  (#6) 

Additionally,  all  covered  entities,  not  just  providers,  must  obtain  authorizations. 

A.  CONCERNS  REGARDING  THE  CONSENT  REQUIREMENT 

Because  providers  can  condition  treatment  on  the  individual's  providing  consent, 
individuals  may  be  coerced  into  sharing  personal  health  information.  Sue  A. 
Blevins,  President,  Institute  of  Health  Freedom,  Testimony  before  the  National 
Committee  on  Vital  and  Health  Statistics,  Subcommittee  on  Privacy  and 
Confidentiality,  August  21,  2001  (#9) 

Does  this  create  a  new  ethics  code  -  patients  may  now  be  denied  treatment  for 
failing  to  share  personally  identifiable  information  for  purposes  of  health  care 
operations?  (#9). 

Consent  requirement  will  create  unintended  but  significant  barriers  to  delivery  of 
health  care  services  to  Kaiser  Permanente's  8.2  million  members.  Mary 
Henderson,  National  HIPAA  Program  Director,  Kaiser  Permanente  Testimony 
for  above  committee  (#7) 

The  Health  Leadership  Council  states  that  the  right  of  a  provider  to  condition 
treatment  upon  the  patient  giving  written  consent  is  often  meaningless  within  the 
ethical  practice  of  medicine  -  as  an  example:  a  patient  signs  consent,  later 
revokes  the  consent  while  hospitalized.  Ethically  and  legally  the  provider  must 
continue  treatment,  but  under  the  Privacy  Rule,  would  be  required  to  do  so 
without  the  benefit  of  medical  information  derived  prior  to  the  revocation.  This 
puts  the  provider  in  an  untenable  ethical  and  legal  position  and  puts  the  patient  at 
risk.  Bruce  Kelly,  Director  of  Government  Relations  for  Mayo  Foundation, 
testifying  on  behalf  of  the  Healthcare  Leadership  Council  at  the  above  committee 
(#10) 

Also  see  the  consent  requirement  as  an  affront  to  patients  -  They  do  not  think  the 
first  thing  patients  should  have  to  face  is  a  10  page  summary  of  information 
practices  and  a  demand  for  a  signed  consent  before  they  can  be  seen  (#10). 

Even  within  HIPAA  there  are  incongruities.  If  a  person  withdraws  consent,  under 
the  Privacy  Rule,  a  provider  can  disenroll  the  patient.  However  HIPAA 
portability  regulations  generally  preclude  disenrollment  of  any  member  except  for 
nonpayment  or  fraud  -  which  controls?  (#7). 

If  providers  are  prohibited  from  disclosing  to  health  plans  the  protected  health 
information  necessary  for  collection  analysis  activities,  the  goal  of  accountability 
and  oversight  of  health  plans  will  be  seriously  jeopardized.  Sharon  King 
Donohue,  General  Counsel  of  the  National  Committee  for  Quality  Assurance 
(NCQA),  testifying  at  above  committee  (#8). 


6 


It  is  only  through  the  collection  analysis  and  action  upon  information  that  our 
health  care  system  can  hope  to  reduce  the  medical  errors  such  as  those  described 
in  the  Institute  of  Medicine's  report.  (#8). 

Without  a  patient's  consent,  a  pharmacist  can  do  nothing  more  with  a  patient's 
prescription  than  set  it  aside  and  wait  for  the  patient  to  arrive  and  provide  written 
consent. 

In  some  situations  such  as  identification  of  a  contaminated,  counterfeit  or 
ineffective  product,  urgent  notification  of  the  patient  is  required.  Susan  C. 
Winckler,  RPh,  JD,  before  the  above  committee  (#13). 


B.  RECOMMENDATIONS  FOR  CONSENT  REQUIREMENT 

Several  entities  recommend  doing  away  with  the  consent  requirement  for  TPO 
(the  proposed  rule  did  not  have  the  consent  requirement)  (#12,  #8,  #13) 

Uses  and  disclosures  of  protected  health  information  created  or  received  prior  to 
the  compliance  date  of  the  Rule  should  be  allowed  to  continue  as  was  legally 
permitted  prior  to  the  effective  date  of  the  rule  without  regard  to  content  or 
existence  of  written  consent  (#12). 

The  AMA  believes  conditional  treatment  on  patient's  consent  only  for  routine  and 
necessary  purposes,  such  as  TPO.  (#12). 

IV.  THE  MINIMUM  NECESSARY  STANDARD 

The  minimum  necessary  standard  generally  requires  covered  entities  to  take 
reasonable  steps  to  limit  use  or  disclosure  of  PHI  to  minimum  necessary  to  accomplish 
the  intended  purpose.  CFR§  164.502(b). 

The  standard  does  not  apply  to: 

-  Disclosures  to  or  request  by  a  health  care  provider  for  treatment  purposes. 

-  Disclosures  to  individuals  who  are  the  subject  of  the  information. 

-  Uses  or  disclosures  made  pursuant  to  an  authorization  by  the  individual. 

-  Uses  or  disclosures  required  for  compliance  with  standardized  HIPAA 
transactions. 

-  Disclosures  to  HHS. 

-  Uses  or  disclosures  required  by  law.  CFR  §  164.502(b). 

For  uses  of  PHI,  the  policies  and  procedures  must  identify  the  persons  or  classes 
of  persons  within  the  covered  entity  who  need  access  to  the  information  to  carry  out  their 
job  duties,  the  types  of  PHI  needed,  and  conditions  appropriate  to  such  access. 

For  routine  disclosures,  covered  entities  must  develop  reasonable  criteria  for 
determining,  and  limiting  disclosure  to  only  the  minimum  amount  of  PHI  necessary  to 


7 


accomplish  the  purpose  of  a  non-routine  disclosure.  Non-routine  disclosures  must  be 
made  on  an  individual  basis.  (#6) 

In  some  circumstances,  the  Rule  permits  a  covered  entity  to  rely  on  the  judgment  of  the 
party  requesting  the  disclosure  as  to  the  minimum  amount  of  information  necessary.  It  is 
permitted  when  the  request  is  made  by: 

-  A  public  official  or  agency  for  a  disclosure  permitted  under  §164.512 

-  Another  covered  entity 

-  A  professional  who  is  a  workforce  member  or  business  associate  of  the  covered 
entity  holding  the  information. 

-  A  researcher  with  appropriate  documentation  from  an  IRB  or  Privacy  Board. 

(#6) 


The  ACLU  believes  that  the  minimum  necessary  standard  embodies  the  essence 
of  the  privacy  rule.  It  gives  meaning  to  the  presumption  that  information  is  not  to  be 
disclosed  to  third  parties  unless  that  disclosure  is  necessary  to  carry  out  a  specific 
purpose,  and  then  only  to  the  extent  necessary  to  carry  out  a  specific  purpose.  (#14) 

A.  CONCERNS  REGARDING  THE  MINIMUM  NECESSARY  STD. 

Because  the  minimum  necessary  standard  is  inherently  vague,  HIAA  is 
concerned  that  it  will  lead  to  "defensive"  restrictions  on  the  flow  of 
information  between  providers  and  health  plans  due  to  fears  about  the  legal 
risk  of  disclosing  information..  They  further  believe  this  may  have  a  negative 
consequence  for  the  quality  and  affordability  of  health  coverage.  Henry  R. 
Desmarais,  MD,  MPA,  Senior  Vice  President  for  Policy  and  Information, 
Health  Insurance  Association  of  America,  at  the  above  committee  (#11). 

This  sentiment  is  shared  by  the  American  Pharmaceutical  Association 
(APhA),  who  stated  that  providers  might  be  reluctant  to  share  information  in 
an  attempt  not  to  violate  the  minimum  necessary  standard.  (#13) 

The  NCQA  believes  the  minimum  necessary  standard  is  a  costly  and 
administrative  burden  and  will  interfere  with  important  health  care  operations 
(#7). 

In  making  the  minimum  necessary  determinations,  covered  entities  concerned 
over  the  ambiguity  of  the  rule,  coupled  with  a  reasonable  fear  of  enforcement 
action,  may  limit  certain  information  below  the  level  critical  for  quality 
assurance,  disease  management  or  accreditation.  These  incentives  for 
disclosing  insufficient  clinical  data  could  inadvertently  thwart  quality 
enhancing  activities  that  are  beneficial  to  consumers  (#7). 


Patients  should  understand  that  "minimum  necessary"  bears  little  relationship 
to  the  potential  harm  from  disclosure.  Information  is  much  more  likely  to  be 
segregated  by  type  than  by  sensitivity.  Because  of  this  a  categorical  request 


8 


for  information,  such  as  lab  tests,  may  reveal  sensitive  information  that  the 
requestor  did  not  need  to  know.  Kathryn  Serkes,  Public  Affairs  Counsel, 
Association  of  American  Physicians  and  Surgeons,  at  the  above  committee, 
(#18). 

The  minimum  necessary  information  might  be  just  as  prejudicial,  perhaps 
moreso  if  out  of  context,  than  the  total  chart,  and  is  thus  of  no  help  in  allaying 
patients'  concerns  (#18). 

AAPS  believes  that  the  minimum  necessary  standard  is  undefined,  and 
therefore  unenforceable.  The  standard  recalls  the  "Mad  Hatter's 
pronouncement  of  it  means  what  he  says  it  means".  Further,  the  OCR  has  no 
authority  to  override  the  requestor.  (#18). 

According  to  AAPS,  the  worst  feature  of  the  minimum  necessary  standard  is 
that  law  enforcement  is  exempt...  (#18). 

B.  RECOMMENDATIONS  FOR  THE  MINIMUM  NECESSARY  STD. 

AHA  recommends  eliminating  restrictions  on  the  use  of  patient  information 
within  the  hospital  and  easing  restrictions  for  other  uses  and  disclosures.  This 
would  take  care  of  a  scenario  such  as:  A  nurse  walking  by  a  patient  in  distress 
may  not  have  ready  access  to  all  the  information  the  nurse  needs  to  help 
because  she  isn't  authorized  to  see  those  records.  AHA:  Medical  Privacy 
Rules  Need  to  be  Fixed  for  Patients  and  Caregivers, 
http:/Avww.  aha,  org/info/releasedisplay.  asp  ?passreleaseid=332 

HIAA  recommends  that  the  minimum  necessary  standard  be  removed  from 
the  Privacy  Rule.  In  their  view  the  other  substantial  protections  established  by 
the  rule  are  sufficient  to  create  strong  safeguards  for  the  confidentiality  of 
protected  health  information  while  avoiding  the  potentially  serious 
complications  the  minimum  necessary  standard  presents.  (#1 1) 

Rather  than  having  the  minimum  necessary  standard,  AAPS  recommends  the 
requestor  should  request  either  a  copy  of  the  record  within  certain  parameters 
(date,  type  of  info,  etc)  or  for  a  specified  set  of  information  to  be  abstracted 
from  the  record  (#18).  This  would  not  require  an  "omniscient  person  fully 
cognizant  of  the  content  of  the  record,  the  needs  of  the  requestor,  and  the 
mindset  of  the  enforcer."  (#18). 

V.  STATE  PREEMPTION 

All  state  laws  that  are  contrary  to  the  rule  are  preempted  unless  one  of  four 
conditions  are  met 

I  will  explain  the  four  conditions. 


9 


A.  CONCERNS  WITH  STATE  PREEMPTION 

B.  RECOMMENDATIONS  FOR  STATE  PREEMPTION 
VI.  RECOMMENDATIONS 

I  am  not  sure  of  my  final  recommendations  at  this  point. 


VII.  CONCLUSION 


Chuck  Tripp 


THESIS  TOPIC: 

THE  HIPAA  PRIVACY  RULE’S  IMPACT 
ON  THE  COST,  ACCESS  AND  QUALITY  OF  HEALTH  CARE 

Congress  recognized  the  need  for  national  patient  record  privacy  standards  in 
1996  when  they  enacted  the  Health  Insurance  Portability  and  Accountability  Act  of  1996 
(HIPAA).  While  the  law  included  provisions  designed  to  save  money  for  health  care 
businesses  by  encouraging  electronic  transactions,  it  also  required  new  safeguards  to 
protect  the  security  and  confidentiality  of  that  information.  The  law  gave  Congress  until 
August  21, 1999  to  pass  comprehensive  health  privacy  legislation.  When  that  did  not 
happen,  the  law  required  the  Department  of  Health  and  Human  Services  (HHS)  to  craft 
such  protections  by  regulation  -  The  Privacy  Rule.  The  initial  proposed  regulations  were 
published  in  November  1 999  and  attracted  over  52,000  comments.  The  final  rule  was 
published  in  December  2000  with  an  effective  date  of  April  14,  2001.  As  required  by  law 
most  covered  entities  have  two  years  -  until  April  14, 2003  to  comply  with  the  final  rule's 
provisions. 

The  Final  Privacy  Rule  applies  to  health  plans,  health  care  clearinghouses,  and 
those  health  care  providers  who  transmit  any  health  information  electronically.  The  main 
provisions  of  the  "Rule’’  are:  Consent  (45  CFR  §  164.506),  the  Minimum  Necessary 
Standard  (45  CFR  §§  164.502(b),  164.514(d)),  Business  Associates  (45  CFR  §§  160.103, 
1164.502(e),  164.514(e)),  Marketing  (45  CFR  §§  164.501,  164.514(e)),  and  Government 
Access  to  Health  Information  (45  CFR  §§160.300,  164.512(b),  164.512(f).  For  the 


purposes  of  my  paper,  I  will  focus  on  the  Consent  and  Minimum  Necessary  Standard 
provisions  because  they  appear  to  have  the  greatest  potential  impact  on  the  cost,  access, 
and  quality  of  health  care. 

The  consent  requirement  provides  that  a  covered  health  care  provider  must  obtain 
the  individual's  consent  prior  to  using  or  disclosing  protected  health  information  to  carry 
out  treatment,  payment,  or  health  care  operations.  However,  consent  is  not  required  for 
providers  who  have  an  indirect  treatment  relationship  such  as  a  radiologist.  Further,  a 
provider  may  forgo  prior  consent  when  providing  emergency  treatment,  when  required  by 
law  to  treat  the  individual,  and  the  provider  is  unable  to  obtain  such  consent,  or  in 
instances  of  severe  communications  barriers  where  the  provider  in  exercising  his 
professional  judgment  finds  that  the  individual's  consent  is  inferred.  The  regulation 
allows  a  covered  health  care  provider  to  condition  treatment  on  the  provision  of  the 
individual's  consent.  It  further  allows  the  individual  to  revoke  his/her  consent,  except  to 
the  extent  that  the  covered  entity  has  taken  action  in  reliance  of  it. 

The  consent  requirement  has  engendered  a  fair  amount  of  concern  from  a  variety 
of  interested  parties  as  evidenced  in  my  review  of  testimonies  before  the  National 
Committee  on  Vital  and  health  Statistics  Subcommittee  on  Privacy  and  Confidentiality. 
Two  representative  entities  are  Kaiser  Permanente  and  the  American  Pharmaceutical 
Association.  A  spokesperson  for  Kaiser  Permanente  stated  that  the  consent  requirement 
would  create  unintended  but  significant  barriers  to  the  delivery  of  health  care  services  to 
their  8.2  million  members.  She  emphasized  the  administrative  burden  of  obtaining  the 
consents  as  well  as  the  life  threatening  implications  of  not  having  the  consent  in  place. 

She  further  stated  that  an  additional  concern  of  theirs  is  that  because  the  regulation  allows 


health  care  providers  to  condition  treatment  on  the  provision  of  the  individual's  consent, 
the  consent  does  not  provide  patients  a  truly  informed  and  voluntary  choice.  A 
spokesperson  for  the  American  Pharmaceutical  Association  stated  that  the  prior  consent 
requirement  erects  significant  barriers  to  the  quick,  efficient,  and  safe  delivery  of  health 
care  that  patients  count  on  pharmacists  to  provide.  Pharmacies  will  have  to  have  consent 
forms  in  hand  before  they  are  allowed  to  dispense  needed  medications.  Perhaps  a  greater 
concern  appears  in  the  event  of  a  needed  recall  of  a  medication.  Pharmacists  are 
concerned  with  what  would  happen  in  that  situation  for  people  who  have  either  not 
submitted  consent  or  have  revoked  their  consent. 

The  minimum  necessary  standard  requires  a  covered  entity  to  make  reasonable 
efforts  to  limit  protected  health  information  to  the  minimum  necessary  to  accomplish  the 
intended  purpose  of  the  use,  disclosure,  or  request.  This  requirement  does  not  apply  to 
disclosures  to  or  requests  by  a  health  care  provider  for  treatment,  disclosures  to  the 
individual  who  is  the  subject  of  the  information,  disclosures  made  to  the  Secretary  of 
Health  and  Human  Services,  and  uses  or  disclosures  that  are  required  by  law.  For  routine 
and  recurring  disclosures  of  protected  health  information,  the  covered  entity  must 
implement  policies  and  procedures  that  limit  the  protected  health  information  to  the 
amount  reasonably  necessary  to  achieve  the  purpose  of  the  disclosure.  For  non-recurring 
disclosures,  the  covered  entity  must  develop  criteria  to  limit  the  protected  health 
information  being  disclosed,  and  review  requests  for  disclosure  on  an  individual  basis  in 
accordance  with  such  criteria.  The  regulation  further  provides  that  a  covered  entity  may 
rely,  if  such  reliance  is  reasonable  under  the  circumstances,  on  a  requested  disclosure  as 
the  minimum  necessary  for  the  stated  purpose  when  the  request  is  made  by  a  public 


official,  another  covered  entity,  a  professional  who  is  a  workforce  member  or  business 
associate  of  the  covered  entity  holding  the  information,  or  a  researcher  with  appropriate 
documentation  from  an  Institutional  Review  Board  (IRB)  or  Privacy  Board. 

The  minimum  necessary  standard  has  also  stimulated  concern.  A  spokesperson 
for  the  Health  Insurance  Association  of  America  (HIAA)  testifying  before  the  National 
Committee  on  Vital  and  health  Statistics  Subcommittee  on  Privacy  and  Confidentiality, 
stated,  "Because  the  minimum  necessary  standard  is  inherently  vague,  we  are  concerned 
that  it  will  lead  to  "defensive"  restrictions  on  the  flow  of  information  between  providers 
and  health  plans  due  to  fears  about  the  legal  risk  of  disclosing  information.  We  believe 
this  may  have  negative  consequences  for  the  quality  and  affordability  of  health  care."  He 
stated,  additionally,  that  the  minimum  necessary  standard  will  be  very  costly  to 
implement,  up  to  $19.8  billion  over  five  years  for  hospitals  alone.  A  spokesperson  for  the 
American  Association  of  Health  Plans  (AAHP),  also  testifying  before  the  subcommittee, 
stated,  "If  the  privacy  rule  is  at  all  vague  or  ambiguous  about  what  a  health  plan  may  do, 
the  plaintiffs  bar  will  use  it  as  a  weapon."  He  recommended  that  HHS  clarify  the 
guidance  to  say  that  the  standard  is  satisfied  so  long  as  the  covered  entity  reasonably 
believes  that  the  information  is  necessary  to  perform  the  task  at  hand. 

The  privacy  rule,  while  it  is  a  final  rule,  is  subject  to  modification.  Based  on  my 
research  to  date,  I  expect  that  modifications  are  imminent.  A  noted  aim  of  HHS  is  that 
the  privacy  protections  not  interfere  with  a  patient's  access  to  or  the  quality  of  health  care 
delivery.  My  paper,  while  focusing  on  the  above  two  provisions  of  the  Privacy  Rule,  will 
analyze  the  concerns  of  interested  parties,  measure  them  against  the  actual  provisions  in 
the  regulation,  and  will  propose  a  means  of  implementing  the  rule  that  will  best  protect 


the  individually  identifiable  health  information  while  minimizing  its  impact  on  the  cost, 
access  and  quality  of  health  care. 


THE  HIPAA  PRIVACY  RULE: 
ANOTHER  STOP  ALONG  THE  ROAD 

paved  with  good  intentions 


Charles  H.  Tripp,  Jr. 


April  15, 2002 


This  paper  is  submitted  to  Professor 
School's  LLM  Thesis  Requirement. 


SaUivan  in  satisfaction  of  the  Seton  Hall  Law 


Government. 


Thesis 
Chuck  Tripp 
15  Apr  2002 


THE  HIPAA  PRIVACY  RULE: 
ANOTHER  STOP  ALONG  THE  ROAD 
PAVED  WITH  GOOD  INTENTIONS 


L  INTRODUCTION: 

As  is  true  with  essentially  all  legislation  and  resultant  regulations,  the  initiating 
party's  intentions  are  good.  Also,  true,  however,  is  the  fact  that  somewhere  in  the  process 
perhaps  in  the  translation  from  statute  to  regulation,  something  seems  to  get  lost  in  the 
translation,  and  those  good  intentions  somehow  get  overtaken  by  the  harsh  realities  of  the 
actual  implementation  of  the  statute  or  regulation.  Such  is  the  case  with  the  Health 
Insurance  Portability  and  Accountability  Act  of  1996  (HIPAA)  Privacy  Rule. 

The  Act  gave  Congress  until  August  21, 1999  to  pass  comprehensive  health 
privacy  legislation.  In  the  event  that  did  not  happen,  the  Act  required  the  Department  of 
Health  and  Human  Services  (HHS)  to  craft  such  protections  by  regulation  —  The  Privacy 
Rule.1  The  initial  proposed  regulations  were  published  in  November  2000  and  attracted 
over  52,000  comments.2  The  Final  Rule  was  published  in  December  2000  with  an 
effective  date  of  April  14,  2001.  As  required  by  law,  most  covered  entities  have  two 
years,  until  April  14,  2003,  to  comply  with  the  Final  Rule's  provisions.3 


1  U.S.  Department  of  Health  and  Human  Services.  "Protecting  the  Privacy  of  Patients’  Health  Information." 
HHS  Fact  Sheet,  6  July  2001.  4  Sep  2001  http://www.hhs.gov/news/press/2001pres/01fsprivacy.html. 

2  Id. 

3  Office  for  Civil  Rights,  OCR  HIPAA  Privacy  TA  164.000.001  General  Overview,  3.  24  Sep.  2001 
http://www.hhs.gov/ocr/hipaa/genoverview.html.  Small  health  plans  will  have  three  years,  until  April  14, 
2004,  to  comply  with  the  Final  Rule's  provisions. 


The  Privacy  Rule  engendered  a  great  deal  of  response  from  the  health  care 
community,  as  evidenced  by  the  52,000  comments.  Every  part  of  that  community,  from 
health  care  providers,  insurers,  and  pharmacists,  to  health-related  advocacy  groups  voiced 
both  support  and  concern  over  the  then-proposed  Privacy  Rule.  This  paper  will  examine 
the  Final  Rule,  focusing  on  two  key  aspects,  the  Consent  requirement  and  the  Minimum 
Necessary  standard,  will  discuss  its  likely  impact  on  the  costs  and  quality  of  health  care, 
and  will  propose  changes  to  the  Privacy  Rule,  specifically  pertaining  to  the  Consent 
requirement  and  the  Minimum  Necessary  standard,  that  will  maximize  its  potential  to 
serve  its  stated  three  purposes  (See  Section  II),  while  minimizing  its  adverse  impact  on 
the  cost  and  quality  of  health  care.  Section  II  will  discuss  the  purpose  of  the  Privacy 
Rule.  Section  III  will  provide  a  brief  overview  of  the  Privacy  Rule.  Section  IV  will 
examine  the  Consent  requirement.  Section  V  will  examine  the  Minimum  Necessary 
standard.  Section  VI  will  discuss  concerns  about  the  Final  Rule,  particularly  the  Consent 
requirement  and  the  Minimum  Necessary  standard,  voiced  by  various  groups  in  the 
health  care  community,  and  will  discuss  the  recommendations  of  the  various  health  care 
groups.  Section  VII  will  discuss  the  Privacy  Rule's  effect  on  the  cost  and  quality  of 
health  care.  Section  VIII  will  discuss  the  HHS'  proposed  modifications.  Section  IX  will 
propose  changes  to  the  Privacy  Rule,  based  on  the  concerns  and  recommendations  of  the 
organizations  within  the  health  care  community,  the  costs  and  benefits  of  the  Final  Rule. 

This  paper  concludes  that  the  Consent  requirement  is  not  necessary  to  ensure 
medical  privacy,  and,  in  fact,  will  cause  significant  problems  in  the  every  day  provision 
of  health  care;  and,  thus,  recommends  it  be  deleted  from  the  Privacy  Rule.  The  paper 
also  concludes  that  the  Minimum  Necessary  standard,  while  beneficial,  is  misguided  in 


2 


its  implementation;  and,  therefore,  recommends  that  it  be  modified  to  reduce  costs 
associated  with  the  standard,  as  well  as  to  increase  its  effectiveness  in  ensuring  quality 
health  care. 

II.  THE  PURPOSE  OF  THE  PRIVACY  RULE 

The  Privacy  Rule  establishes,  for  the  first  time,  a  set  of  national  privacy  standards 
that  will  provide  all  Americans  with  a  basic  level  of  protection  and  peace  of  mind,  which 
is  essential  to  their  participating  hilly  in  their  medical  care.4  The  Privacy  Rule  has  three 
major  purposes: 

1 .  to  protect  and  enhance  the  rights  of  consumers  by  providing 
them  access  to  their  health  information  and  controlling  the 
inappropriate  use  of  that  information; 

2.  to  improve  the  quality  of  health  care  in  the  U.S.  by  restoring 
trust  in  the  health  care  system  among  consumers,  health  care 
professionals,  and  the  multitude  of  organizations  and 
individuals  committed  to  the  delivery  of  care;  and 

3.  to  improve  the  efficiency  and  effectiveness  of  health  care 
delivery  by  creating  a  national  framework  for  health  privacy 
protection  that  builds  on  efforts  by  states,  health  systems,  and 
individual  organizations  and  individuals.5 

The  provision  of  high-quality  health  care  requires  the  free  exchange  of  personal, 
often-sensitive,  information  between  a  patient  and  a  health  care  provider.  The  patient's 
ability  to  trust  that  the  provided  information  will  be  protected  and  kept  confidential  is 
vital.  Many  patients,  however,  are  concerned  that  their  health  information  is  not 
protected.  Factors  which  fuel  this  concern  are  the  growth  in  the  number  of  organizations 
involved  in  providing  health  care  and  processing  medical  claims,  the  growing  use  of 
electronic  information  technology,  increased  efforts  to  market  health  care  and  related 


4  Final  Privacy  Rule  Preamble,  Background  and  Purpose,  9.  27  Nov  2001 
http://aspe.hhs.gov/admnsimp/final/PvcPre01.htm. 

5  Id.  at  8. 


3 


products  to  consumers,  and  the  increasing  technological  ability  to  collect  highly  sensitive 
information,  such  as  genetic  information,  about  a  person's  current  and  future  health 
status.6 


Surveys  are  replete  with  statistics  indicating  consumer's  concern  over  health  care 
privacy  issues.7 8  The  Committee  on  Maintaining  Privacy  and  Security  in  Health  Care 
Applications  of  the  National  Information  Infrastructure  made  several  findings 
highlighting  the  need  for  heightened  privacy  and  security:  "The  greatest  concerns 
regarding  privacy  of  health  information  derive  from  widespread  sharing  of  patient 
information  throughout  the  health  care  industry  and  the  inadequate  federal  and  state 

Q 

regulatory  framework  for  systematic  protection  of  health  information."  These  concerns 

regarding  the  privacy  of  health  information,  unfortunately,  are  not  merely  theoretical. 

Examples  of  recent  privacy  breaches  include: 

A  Michigan-based  health  system  accidentally  posted  the 
medical  records  of  thousands  of  patients  on  the  Internet  (The 
Ann  Arbor  News,  February  10,  1999). 

A  Utah-based  pharmaceutical  benefits  management  firm  used 
patient  data  to  solicit  business  for  its  owner,  a  drug  store 
(Kiplingers,  February  2000). 

An  employee  of  the  Tampa,  Florida,  health  department  took  a 
computer  disk  containing  the  names  of  4,000  people  who  had 
tested  positive  for  HIV,  the  virus  that  causes  AIDS  (USA 
Today,  October  10,  1996). 

A  Nevada  woman  who  purchased  a  used  computer  discovered 
that  the  computer  still  contained  the  prescription  records  of  the 
customers  of  the  pharmacy  that  had  previously  owned  the 


6  Id.  at  9 

7  A  1998  study  found  that  88  percent  of  consumers  were  "concerned"  by  the  amount  of  information  being 
requested,  while  55  percent  were  "very  concerned".  A  series  of  national  public  opinion  polls  conducted  by 
Louis  Harris  &  Associates  documents  a  rising  level  of  public  concern  about  privacy,  growing  from  64 
percent  in  1978  to  82  percent  in  1995.  Over  80  percent  of  persons  surveyed  in  1999  agreed  with  the 
statement  that  they  had  "lost  all  control  over  their  personal  information.  Id.  at  1 1 . 

8  Id.  at  27. 


4 


computer.  The  pharmacy  data  base  included  names,  addresses, 
social  security  numbers,  and  a  list  of  all  the  medicines  the 
customers  had  purchased  (The  New  York  Times,  April  4, 1997 
and  April  12,  1997). 9 

A  breach  of  a  person's  health  privacy  can  have  far-reaching  implications  beyond  the 

physical  health  of  the  person,  including  the  loss  of  a  job,  loss  of  health  insurance,  and 

public  humiliation.  Examples  of  such  breaches  follow: 

A  banker  who  also  sat  on  a  county  health  board  gained  access 
to  patients'  records  and  identified  several  people  with  cancer 
and  called  in  their  mortgages.  See  the  National  Law  Journal, 

May  30,  1994. 

A  candidate  for  Congress  nearly  saw  her  campaign  derailed 
when  newspapers  published  the  fact  that  she  had  sought 
psychiatric  treatment  after  a  suicide  attempt.  See  New  York 
Times,  October  10, 1992,  Section  1,  page  25. 

A  30-year  FBI  veteran  was  put  on  administrative  leave  when, 
without  his  permission,  his  pharmacy  released  information 
about  his  treatment  for  depression.  (Los  Angeles  Times, 

September  1,  1998). 10 

Concerns  about  the  lack  of  privacy  of  individuals'  personal  health  information,  is, 

unfortunately,  but  understandably,  resulting  in  people  shying  away  from  medical 

treatment.  Recent  studies  indicate  that  a  person  who  does  not  believe  his  medical  privacy 

will  be  protected  is  much  less  likely  to  fully  participate  in  the  diagnosis  and  treatment  of 

his  own  medical  condition.1 1  One  in  six  Americans  reported  that  they  have  taken  some 

sort  of  evasive  action  to  avoid  the  misuse  of  their  health  information  by  providing 

inaccurate  diagnostic  information  to  a  health  care  provider,  changing  physicians,  or 

1 2 

avoiding  care  altogether. 


9  Id.  at  15. 

10  Id.  at  17. 

11  Id.  at  16. 

12  Id.  at  17. 


5 


The  findings  are  troubling  because  the  essence  of  the  health  care  system  is  built 
on  trust  between  the  patient  and  the  health  care  provider.  Trust  allows  patients  to  share 
the  most  intimate  details  of  their  lives  with  their  health  care  providers.  In  the  absence  of 
such  trust  and  the  resultant  withholding  of  candid  information,  there  is  serious  risk  that 
the  treatment  plan  will  be  inappropriate  to  the  patient's  situation.13  The  accuracy  of  the 
health  information,  however,  effects  more  than  the  patient's  treatment.  Accurate  medical 
records  ensure  prompt  and  proper  processing  of  claims  for  payment,  assist  communities 
in  identifying  troubling  public  health  trends,  and  perhaps  most  importantly,  facilitate 
continued  improvements  in  the  quality  of  health  care  by  providing  valuable  information 
about  which  treatments  work,  and  which  do  not.14 

Because  of  these  concerns  and  the  importance  of  encouraging  the  free-flow  of 
accurate  health  information  from  the  patient  to  the  health  care  provider,  it  is  imperative  to 
protect  health  information  privacy.  Prior  to  1 996,  rules  protecting  health  information 
privacy  had  been  enacted  primarily  by  the  states.  While  virtually  all  states  have  statutes 
to  protect  health  information  privacy,  the  laws  vary  greatly  from  state  to  state,  and  tend 
not  to  cover  the  entire  health  care  system.15  As  such,  state  laws  do  not  adequately  silence 
the  concerns  of  health  information  privacy.  The  answer  to  these  concerns  cannot  be 
found  in  a  patchwork  of  state  laws,  nor  is  the  answer  for  consumers  to  withdraw  from 
society  and  the  health  care  system.  The  answer,  rather,  is  to  establish  a  clear  national 
legal  framework  for  health  information  privacy  —  the  Privacy  Rule.16 
III.  THE  PRIVACY  RULE  GENERALLY 


13 

14 

15 

16 


Id.  at  16. 
Id. 

Id.  at  9. 
Id.  at  18. 


6 


The  Privacy  Rule  applies  only  to  "covered  entities"  —  health  plans,  health  care 
clearinghouses17,  and  health  care  providers  who  transmit  certain  health  information 
electronically.18  The  focal  point  of  the  Privacy  Rule  is  the  general  prohibition  on  the 
dissemination  of  what  the  Rule  defines  as  "protected  health  information"  (PHI)19.  The 
Rule  states  that,  "A  covered  entity  may  not  use  or  disclose  protected  health  information 
except  as  permitted  or  required"  by  the  rule.20  The  Rule  provides  for  permitted  uses21 
and  disclosures22  and  required  disclosures.  Most  notably,  a  covered  entity  is  permitted  to 
use  or  disclose  protected  health  information  pursuant  to  a  Consent  to  carry  out  treatment, 
payment,  or  health  care  operations23  (TPO),  or  pursuant  to  an  Authorization  for  uses 


17  "A  public  or  private  entity,  including  a  billing  service,  repricing  company,  community  health 
management  information  system  or  community  health  information  system,  and"value-added"  networks  and 
switches,  that  does  either  of  the  following  functions 

-  Processes  or  facilitates  the  processing  of  health  information  received  from  another 

entity  in  a  nonstandard  format  or  containing  nonstandard  data  content  into  standard 
data  elements  or  a  standard  transaction. 

-  Receives  a  standard  transaction  from  another  entity  and  processes  or  facilitates  the 
processing  of  health  information  into  nonstandard  format  or  nonstandard  data 
content  for  the  receiving  entity."  Final  Privacy  Rule-Regulation  Text,  45  CFR  § 

160.103,  4.  24  Sep.  2001  http://www.hhs.gov/ocr/regtext.html. 

18  Id.  at  45  CFR  §  160.102,  2. 

19  "Information  that  is  a  subset  of  health  information,  including  demographic  information  collected  from  an 
individual,  and: 

-  Is  created  or  received  by  a  health  care  provider,  health  plan,  employer,  or  health  care 
clearinghouse; 

-  Relates  to  the  past,  present,  or  future  physical  or  mental  health  or  condition  of  an 

individual;  the  provision  of  health  care  to  an  individual;  or  the  past,  present,  or  future 
payment  for  the  provision  of  health  care  to  an  individual;  and 

-  That  identifies  the  individual;  or 

-  With  respect  to  which  there  is  a  reasonable  basis  to  believe  the  information  can  be 
used  to  identify  the  individual.  Id.  at  45  CFR  §  164.501,  18. 

20  Id  at  45  CFR  §  164.502,22. 

21  "With  respect  to  individually  identifiable  health  information,  the  sharing,  employment,  application, 
utilization,  examination,  or  analysis  of  such  information  within  an  entity  that  maintains  such  information. 
Id. 

22  "The  release,  transfer,  provision  of  access  to,  or  divulging  in  any  other  manner  of  information  outside  the 
entity  holding  the  information."  Id.  at  45  CFR  §  164.501, 16. 

23  "Any  of  the  following  activities  of  the  covered  entity  to  the  extent  that  the  activities  are  related  to 
covered  functions,  and  any  of  the  following  activities  of  an  organized  health  care  arrangement  in  which  the 
covered  entity  participates: 

-  Conducting  quality  assessment  and  improvement  activities. 

-  Reviewing  the  competence  or  qualifications  of  health  care  professionals... 


7 


other  than  TPO.24  A  covered  entity  is  required  to  disclose  PHI  to  the  individual  who  is 
the  subject  of  the  PHI,  and  when  required  by  the  Secretary  for  compliance  and 
enforcement  purposes.25 

Under  the  Final  Rule,  patients  will  have  significant,  new  rights  to  understand  and 
control  how  their  health  information  is  used: 

-  Patient  education  on  privacy  protections.  Providers  and  health 
plans  will  be  required  to  give  patients  a  clear  written 
explanation  (Notice)  of  how  the  covered  entity  may  use  and 
disclose  their  health  information. 

-  Ensuring  patient  access  to  their  medical  records.  Patients  will 
be  able  to  see  and  obtain  copies  of  their  records,  and  request 
amendments.  In  addition,  a  history  of  non-routine  disclosures 
must  be  made  accessible  to  patients. 

-  Receiving  patient  consent  before  information  is  released. 

Health  care  providers  who  see  patients  will  be  required  to 
obtain  patient  consent  before  sharing  their  information  for 
treatment,  payment,  and  health  care  operations.  In  addition, 
separate  patient  authorization  must  be  obtained  for  non-routine 
disclosures  and  most  non-health  care  purposes.  Patients  will 
have  the  right  to  request  restrictions  on  the  uses  and  disclosures 
of  their  information. 

-  Providing  recourse  if  privacy  protections  are  violated.  Patients 
will  have  the  right  to  file  a  formal  complaint  with  a  covered 
provider  or  health  plan,  or  with  HHS,  about  violations  of  the 
provisions  of  this  rule  or  the  policies  and  procedures  of  the 
covered  entity.26 

Two  key  provisions  of  the  Rule  are  the  Consent  requirement,  §164.506,  and  the 
Minimum  Necessary  standard,  §§  164.502(b)  and  164.514(d).  These  two  provisions  are 


-  Underwriting,  premium  rating,  and  other  activities  relating  to  the  creation,  renewal,  or 
replacement  of  a  contract  of  health  insurance  or  health  benefits. 

-  Conducting  or  arranging  for  medical  review,  legal  services,  and  auditing  functions, 
including  fraud  and  abuse  detection  and  compliance  programs. 

-  Business  planning  and  development. 

-  Business  management  and  general  administrative  activities  of  the  entity."  Id. 

24  Final  Privacy  Rule,  supra  note  17,  at  45  CFR  §  1 164.502,  22. 

25  Id. 

26  U.S.  Department  of  Health  and  Human  Services,  supra  note  1,  at  2. 


8 


the  essence  of  the  Rule,  and,  as  evidenced  by  the  concerns  voiced  within  the  health  care 
field,  which  will  be  discussed  in  Section  VII,  they  are,  perhaps,  the  most  controversial. 
Most  importantly,  they  both  can  greatly  impact  both  the  costs  and  quality  of  health  care. 

IV.  CONSENT  REQUIREMENT  AND  AUTHORIZATIONS 
A.  Consent  Requirement 

The  Privacy  Rule  establishes  a  federal  requirement  that  most  health  care  providers 
obtain  a  patient's  written  consent  before  using  or  disclosing  the  patient's  personal  health 
information  (PHI)  to  carry  out  treatment,  payment,  or  health  care  operations  (TPO).27 
The  goal  of  the  Consent  requirement  is  to  encourage  more  informed  discussions  between 
patients  and  health  care  providers  about  how  protected  health  information  will  be  used 
and  disclosed  in  the  health  care  system.28  Many  health  care  providers  already  obtain 
patient  consent,  stating  they  are  ethically  obligated  to  do  so  and  that  it  is  their  practice  to 
do  so.  A  1998  study  by  Merz,  et  al,  referenced  in  the  preamble  to  the  Final  Rule, 
examined  consent  forms  regarding  disclosure  of  medical  information.  The  study  found 
that  "97%  of  all  hospitals  seek  consent  for  the  release  of  information  for  payment 
purposes;  45  %  seek  consent  for  disclosure  for  utilization  review,  peer  review,  quality 
assurance,  and/or  prospective  review;  and  50%  seek  consent  for  disclosure  to  providers, 
other  health  care  facilities,  or  others  for  continuity  of  care  purposes."29  The  Privacy  Rule 
builds  on  these  practices  by  establishing  a  uniform  federal  standard  for  most  health  care 


27  Office  for  Civil  Rights,  Standards  for  Privacy  of  Individually  Identifiable  Health  Information,  5,  4  Sep. 
2001  http://aspe.os.dhhs.gov/adnmsimp.final/pvcgidel.htm. 

28  Final  Privacy  Rule  Preamble,  Part  I,  28. 

29  Jon  F.  Marz,  Pamela  Sanka,  Simon  S.  Yoo,  "Hospital  Consent  for  Disclosures  of  Medical  Records",  26 
J.L.M  &  Ethics,  no.  3,  (1998),  241-48. 


9 


providers  to  obtain  their  patients'  consent  for  uses  and  disclosures  of  health  information 
to  carry  out  TPO.30 

The  Consent  requirement  is  found  at  §  164.506  of  the  Privacy  Rule.  It  provides 
that,  absent  a  specified  exception,  a  covered  health  care  provider  must  obtain  the 

O  1 

patient's  consent  prior  to  using  or  disclosing  protected  health  information  for  TPO.  The 
Rule  singles  out  health  care  providers  in  requiring  them  to  obtain  consent;  neither  health 
plans,  nor  health  care  clearinghouses  are  required  to  obtain  consent,  although  neither  is 
prohibited  from  doing  so.  One  of  the  main  exceptions  to  requiring  consent  is  providers 
who  have  an  indirect  treatment  relationship.32  As  the  name  implies,  they  have  no  direct 
relationship  or  contact  with  the  patient.  Rather,  they  have  a  relationship  with  the  patient's 
direct  provider  and  are  providing  care  to  the  patient  for  the  direct  care  provider;  they 
report  any  results  back  to  the  direct  care  provider,  rather  than  to  the  patient.  Thus,  only 
health  care  providers  who  have  a  direct  treatment  relationship  with  the  patient  must 
obtain  consent. 

A  consent  under  §164.506  must  be  written  in  plain  language,  understandable  to 
the  average  patient,  and  must  inform  the  individual  that  protected  information  (PHI)  may 
be  used  and  disclosed  to  carry  out  TPO.  The  consent  must  refer  the  individual  to  the 
notice  required  by  §  1 64.520,  and  inform  him  or  her  of  the  right  to  review  the  notice 
before  signing  the  consent.  It  must  also  inform  the  individual  that  the  notice  is  subject  to 
change.  The  consent  must  state  that  the  individual  has  the  right  to  request  that  the 
covered  entity  restrict  the  use  or  disclosure  of  his  or  her  PHI  and  that  the  covered  entity  is 
not  required  to  agree  to  a  requested  restriction;  but,  if  it  does,  the  restriction  is  binding  on 

30  Office  for  Civil  Rights,  supra  note  27,  at  5. 

31  Final  Privacy  Rule,  supra  note  18,  at  34. 

32  Id. 

10 


the  covered  entity.  The  consent  must  also  inform  the  individual  of  his  or  her  right  to 
revoke  the  consent  in  writing,  except  to  the  extent  that  the  covered  entity  has  taken  action 
in  reliance  of  the  consent.  Finally,  the  consent  must  be  signed  and  dated  by  the 
individual.33 

The  consent  requirement  for  direct  treatment  health  care  providers  logically 
dictates  that,  without  such  consent,  the  provider  is  prohibited  from  either  using  or 
disclosing  a  patient's  personal  health  information  for  TPO.  It,  therefore  follows,  and  the 
Rule  provides,  that  health  care  providers  can  condition  treatment  on  the  provision  of 
consent  from  the  individual.34  Therefore,  if  an  individual  refuses  to  provide  consent,  the 
provider  may  refuse  to  treat  that  person.  The  Rule  also  allows  health  plans,  but  does  not 
obligate  them,  to  condition  enrollment  in  the  health  plan  on  the  provision  of  consent  from 
the  individual.35  Additionally,  the  Rule  allows  individuals  to  revoke  their  consent  in 
writing  at  any  time,  except  to  the  extent  that  the  covered  entity  has  taken  action  in 
reliance  on  that  consent.  Further,  if  an  individual  revokes  his  or  her  consent,  the  covered 

36 

entity  may  refuse  to  continue  treatment  of  that  individual. 

As  noted  above,  there  are  exceptions  to  the  consent  requirement  in  addition  to  the 
indirect  treatment  exception.  A  covered  health  care  provider  may  use  or  disclose  PHI  for 
TPO,  without  prior  consent,  in  three  situations:  in  emergency  treatment  situations;  in 
situations  where  the  provider  is  required  by  law  to  treat  the  individual;  and  in  situations 
where  the  provider  is  unable  to  obtain  consent  due  to  communication  barriers.  Each  of 
these  exceptions,  however,  requires  that  the  provider  attempt  to  obtain  consent  form  the 

33  Id.  at  36. 

34  Id.  at  35. 

35  Id. 

36  Final  Privacy  Rule  Preamble,  Part  II,  70. 


11 


individual,  and  that  he  or  she  document  the  attempts  and  reasons  why  such  attempts  were 
unsuccessful.37 

The  original,  proposed  Privacy  Rule  did  not  contain  a  Consent  requirement; 
rather,  it  allowed  for  uses  and  disclosures  of  PHI  for  TPO  without  consent  because  of 
HHS's  concern  that  any  consent  would  not  be  voluntary,  but  rather  "coercive"-either 
provide  consent  or  do  not  receive  treatment.38  There  was  also  concern  that  blanket 
consents  provided  individuals  neither  notice  nor  control  over  how  their  health 
information  would  be  used.  The  Consent  requirement  is  still  "coercive"  in  that  treatment 
may  be  contingent  upon  the  individual  providing  his  or  her  consent,  but  HHS  recognized, 
through  many  comments  on  the  subject,  that  the  act  of  providing  and  obtaining  consent 
represent  important  values  for  both  patients  and  health  care  providers.  In  fact,  patient 
advocates  argued  that  the  act  of  signing  the  consent  form  focuses  the  patient's  attention 
on  the  substance  of  the  transaction  and  provides  the  patient  an  opportunity  to  ask 

.  .  40 

questions  and  negotiate  the  use  and  disclosure  of  his  or  her  health  care  information. 

The  issue  of  "coerced"  consent  is  not  only  mentioned  by  HHS  in  the  Preamble, 
but  also  by  several  representatives  in  the  health  care  community  and  is  discussed  further 
in  Section  VI.  While  it  is  true  that  the  Consent  provided  in  the  Privacy  Rule  is  not  truly 
voluntary  in  the  sense  that  failure  to  provide  consent  will  most  likely  result  in  the 
individual  not  receiving  medical  treatment,  it  cannot  truly  be  characterized  as  being 
"coercive".  Black's  Law  Dictionary  (Black's)  defines  "coerce"  as,  "Compelled  to 


37  Id. 

38  Final  Privacy  Rule  Preamble,  Part  I,  27. 

39  Final  Privacy  Rule  Preamble,  Part  III 

40  Id. 


12 


compliance;  constrained  to  obedience,  or  submission  in  a  vigorous  or  forcible  manner."41 
It  is  certainly  not  criminal  coercion,  which  Black's  defines  as,  "A  person  is  guilty  of 
criminal  coercion  if,  with  purpose  to  unlawfully  restrict  another's  freedom  of  action  to  his 
detriment,  he  threatens  to:  (a)  commit  any  criminal  offense;  or  (b)  accuse  anyone  of  a 
criminal  offense;  or  (c)  expose  any  secret  tending  to  subject  any  person  to  hatred, 
contempt  or  ridicule,  or  to  impair  his  credit  or  business  repute;  or  (d)  take  or  withhold 
action  as  an  official,  or  cause  an  official  to  take  or  withhold  action."42  Duress  is  often 
associated  with  coercion.  Black's  defines  it  as,  "A  condition  where  one  is  induced  by 
wrongful  act  or  threat  of  another  to  make  contract  under  circumstances  that  deprive  him 
of  exercise  of  his  free  will."43  While  the  health  care  community's  use  of  "coerce"  does 
not  meet  the  "legal"  definitions  of  the  word  or  associated  words,  it  is  widely  used  in  the 
community  and  is  a  source  of  great  concern  in  the  community;  therefore,  references  to  it 
are  in  this  paper,  and  should  be  understood  as  "non-voluntary",  rather  than  "coercive". 

While  the  Consent  requirement  provides  notice  and  protection  for  the  use  and 
disclosure  of  PHI  for  TPO,  the  Rule  authorizes  disclosures  of  PHI  for  activities  other  than 
TPO. 

B.  Authorizations 

§  164.508  of  the  Rule  provides  for  Authorizations.  In  order  to  use  and  disclose 
protected  health  information  for  purposes  other  than  TPO,  a  covered  entity  must  obtain 
an  Authorization.44  While  only  health  care  providers  are  required  to  obtain  Consent  for 
TPO,  all  covered  entities  are  required  to  obtain  an  Authorization  from  an  individual  in 

41  Black's  Law  Dictionary  234  (5th  ed.  1979). 

42  Id.  at  235. 

43  Id.  at  452. 

44  Andrew  B.  Wachler  and  Phyllis  A.  Avery,  "Complex  Privacy  Regulations  Have  Far  Reaching  Impact", 

13  No.  3  Health  Law,  7  (April  2001). 


13 


order  to  use  or  disclose  protected  health  information  for  ancillary  purposes,  such  as 
marketing,  pre-enrollment  underwriting,  or  employment  determinations.45  An 
authorization  must  be  written  in  more  specific  terms  than  a  Consent,  and  a  covered  entity 
is  not  allowed  to  condition  treatment  on  the  provision  of  an  Authorization.46 

The  prohibition  on  conditioning  treatment  on  an  authorization  is  intended  to 
prevent  covered  entities  from  "coercing"  individuals  into  authorizing  a  use  or  disclosure 
of  their  PHI  that  is  not  necessary  to  carry  out  the  primary  services  that  the  covered  entity 
provides.  As  an  example,  "A  health  care  provider  could  not  refuse  to  treat  an  individual 
because  the  individual  refused  to  authorize  a  disclosure  to  a  pharmaceutical  manufacturer 
for  the  purpose  of  marketing  a  new  product."  47  There  is,  however,  an  exception  to  this 
prohibition.  When  a  covered  entity  provides  treatment  for  the  sole  purpose  of  providing 
information  to  a  third  party,  the  covered  entity  may  condition  that  treatment  on  the 
obtaining  of  an  authorization  to  use  or  disclose  PHI  necessary  for  that  purpose.  An 
example  of  this  is,  "A  covered  health  care  provider  may  have  a  contract  with  an  employer 
to  provide  fitness-for-duty  examinations  to  the  employer's  employees.  The  provider  may 
refuse  to  conduct  the  examination  if  an  individual  refuses  to  authorize  the  provider  to 
disclose  the  results  of  the  examination  to  the  employer." 

In  order  for  an  authorization  to  be  valid,  it  must  contain  the  following  elements: 

-  A  description  of  the  information  to  be  used  or  disclosed  that 
identifies  the  information  in  a  specific  and  meaningful  fashion; 


45  HIPAAdvisory,  "Consents  and  Authorizations  Explored”,  4  Jan.  2002 
http://www.hipaadvisory.com/action/  advisor/HIP  AAdvisor  1 2  .htm. 

46  Andrew  B.  Wachler,  supra  note  44. 

47  Final  Privacy  Rule  Preamble,  Part  II,  78. 

48  Id.  at  79. 


14 


-  The  name  or  other  specific  identification  of  the  person(s),  or 
class  of  persons,  authorized  to  make  the  requested  use  or 
disclosure; 

-  The  name  or  other  specific  identification  of  the  person(s),  or 
class  of  persons,  to  whom  the  covered  entity  may  make  the 
requested  use  or  disclosure; 

-  An  expiration  date  or  an  expiration  event  that  relates  to  the 
individual  or  the  purpose  of  the  use  or  disclosure; 

-  A  statement  of  the  individual's  right  to  revoke  the  authorization 
in  writing  and  the  exceptions  to  the  right  to  revoke,  together 
with  a  description  of  how  the  individual  may  revoke  the 
authorization; 

-  A  statement  that  information  used  or  disclosed  pursuant  to  the 
authorization  may  be  subject  to  redisclosure  by  the  recipient 
and  no  longer  be  protected  by  this  rule; 

-  Signature  of  the  individual  and  date;  and 

-  If  the  authorization  is  signed  by  a  personal  representative  of  the 
individual,  a  description  of  such  representative's  authority  to 
act  for  the  individual.49 

V.  MINIMUM  NECESSARY  STANDARD 

The  Minimum  Necessary  standard  arose  from  the  concern  that  an  individual's 
medical  records  and  other  protected  health  care  information  were  accessible  to  too  many 
people.  It  is  not  a  strict  standard,  or  a  specifically  defined  one;  rather,  it  is  intended  to 
make  covered  entities  evaluate  their  current  practices  and  implement  procedures  and 
protections,  as  needed,  to  prevent  unnecessary  disclosures  of  protected  health 
information.50 


49  Final  Privacy  Rule,  supra  note  18,  at  40 

50  HIPAAdvisory,  "When  Does  "Minimum  Necessary"  Apply?",  1, 4  Jan.  2002 
http://www.hipaadvisorv.com/action/advisor/HIPAAdvisorl8.htm. 


15 


The  Privacy  Rule  organizes  the  varying  uses  and  disclosures  of  protected  health 
information  into  three  categories  and  imposes  different  requirements  for  compliance  with 
the  Minimum  Necessary  standard  for  each  category: 

-  Internal  Use  of  PHI.  Covered  entities  are  required  to  audit  their 
operations  and  identify  the  persons  or  classes  of  persons  within 
their  operations  who  need  access  to  PHI  to  carry  out  their  job 
duties,  the  categories  or  types  of  PHI  that  each  of  these  classes 
of  people  require,  and  under  what  conditions  such  persons  will 
need  to  access  the  PHI  necessary  to  perform  their  jobs. 

Policies  and  procedures  must  be  implemented  to  ensure  that 
the  use  of  PHI  remains  limited  to  the  necessary  scope  as 
identified  in  the  audit. 

-  Routine  Disclosures.  For  routine  or  recurring  requests  and 
disclosures,  covered  entities  must  develop  standard  protocols, 
policies,  and  procedures  which  limit  the  PHI  disclosed  or 
requested  to  the  minimum  necessary  to  achieve  the  purpose  of 
that  particular  disclosure  or  request.  Each  disclosure  does  not 
have  to  be  individually  reviewed. 

-  Non-Routine  Disclosures.  Covered  entities  are  required  to 
develop  criteria  that  will  allow  them  to  consistently  determine 
the  minimum  amount  of  PHI  necessary  to  accomplish  the 
intended  purpose  of  the  disclosure  in  response  to  non-routine 
requests.  Unlike  the  preceding  categories,  non-routine  requests 
must  be  evaluated  on  an  individual  case-by-case  basis  in 
accordance  with  the  criteria  developed  by  the  covered  entity  to 
ensure  the  minimum  necessary  disclosure.51 

The  Minimum  Necessary  Standard  does  not  apply  to  the  following  uses  and 
disclosures: 

-  Disclosures  to  or  requests  by  a  health  care  provider  for 
treatment  purposes. 

-  Disclosures  to  individuals  who  are  the  subject  of  the 
information. 

-  Uses  or  disclosures  made  pursuant  to  an  authorization  by  the 
individual. 


51  Id.  at  2. 


16 


-  Uses  or  disclosures  required  for  compliance  with  standardized 
HIPAA  transactions. 

-  Disclosures  to  HHS. 

52 

-  Uses  or  disclosures  required  by  law. 

Oddly,  while  there  are  no  exceptions  to  the  Minimum  Necessary  standard  in  the  Rule 
regarding  uses  of  PHI,  there  is  an  exception  for  disclosures  for  treatment  purposes. 
Therefore,  a  covered  entity  must  apply  the  Minimum  Necessary  standard  internally  for 
treatment  purposes,  but  does  not  have  to  do  so  with  respect  to  outside  providers  for 
treatment  purposes.  Additionally,  a  covered  entity  may  rely,  if  reasonable,  on  a  requested 
disclosure  for  PHI  as  being  the  minimum  necessary  for  the  given  purpose.53  Based  on 
this  reliance,  a  covered  entity  making  such  a  request  must  limit  the  request  for  protected 
health  information  to  that  minimum  necessary  to  accomplish  the  purpose  for  which  the 
request  is  made.54  A  covered  entity  may  also  rely  on  the  assertions  of  professionals,  such 
as  attorneys  and  accountants,  who  are  either  its  employees  or  employees  of  its  business 
associates,  regarding  what  protected  health  information  is  needed  in  order  for  them  to 
provide  the  necessary  professional  services  to  the  covered  entity  when  such  person 
represents  that  the  requested  information  is  the  minimum  necessary.55 

Also  of  note  is  the  use  or  disclosure  of  medical  records.  For  all  uses,  disclosures, 
and  requests  for  which  the  Minimum  Necessary  standard  applies,  a  covered  entity  may 
not  use,  disclose,  or  request  (UDR)  an  entire  medical  record,  except  when  the  entire 
medical  record  is  specifically  justified  as  reasonably  necessary  to  accomplish  the  purpose 


52  Final  Privacy  Rule-Regulation  Text,  23. 

53  Id.  at  62. 

54  Id. 

55  Final  Rule  Preamble,  Part  II 


17 


of  the  UDR.56  Further,  UDR  for  the  entire  medical  record  absent  such  documented 
justification  is  a  presumptive  violation  of  the  Rule.57  This  medical  record  rule  does  not 
apply  in  situations  where  a  medical  record  is  being  disclosed  to  an  outside  health  care 
provider  for  treatment  purposes  because  the  Minimum  Necessary  standard  does  not  apply 
in  that  situation.  The  medical  record  rule  does  apply,  however,  to  uses  within  a  covered 
entity  for  treatment  purposes.  The  Minimum  Necessary  standard  appears  to  put  more 
faith  in  external  disclosures  between  entities  that  may  or  may  not  know  each  other  than  it 
does  in  internal  uses  by  providers  who  most  likely  know  and  work  with  each  other  on  a 
daily  basis. 

The  Minimum  Necessary  standard  is  intended  to  reflect  professional  judgment 
and  standards.  HHS  expects  that  covered  entities  will  implement  policies  that  allow 

58 

persons  involved  in  treatment  to  have  access  to  the  entire  record,  as  reasonably  needed. 
The  Minimum  Necessary  standard  does  not  apply  strict  parameters  around  the  definition 
of  "Minimum  Necessary";  rather,  each  covered  entity  should  develop  policies  and 
procedures  that  will  work  for  it.  Because  of  this,  HHS  is  likely  to  look  at  best  practices 
across  the  health  care  industry  when  making  determinations  on  compliance. 

The  Minimum  Necessary  standard  is  seen  by  many  to  be  the  embodiment  of  the 
Privacy  Rule.  It  gives  meaning  to  the  presumption  that  health  care  information  is  not  to 
be  disclosed  to  third  parties  unless  that  disclosure  is  necessary  to  carry  out  a  specific 
purpose,  and  then  only  to  the  extent  necessary  to  carry  out  that  specific  purpose.59  This 

56  Final  Privacy  Rule,  supra  note  18,  at  63. 

57  Final  Rule  Preamble,  Part  II 

58  Id. 

59  Ronald  Weich ,  "Significance  of  the  'Minimum  Necessary'  Standard."  National  Committee  on  Vital  and 
Health  Statistics,  Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.,  2,  22  Aug.  2001.  24 
Sep.  2001  http://www.ncvhs.hhs.gov/010822p4.htm. 


18 


standard  directly  attacks  the  sloppy  practice  in  today's  medical  record  keeping,  in  which  a 
valid  request  for  one  aspect  of  a  patient's  record  leads  to  the  disclosure  of  the  entire 
record. 

VI.  HEALTH  CARE  COMMUNITY  CONCERNS  AND  RECOMMENDATIONS 

The  health  care  community  has  a  vested  interest  in  the  Privacy  Rule  and,  not 
surprisingly,  has  made  its  interests  known  to  the  regulators.  The  Subcommittee  on 
Privacy  and  Confidentiality  of  the  National  Committee  on  Vital  and  Health  Statistics  held 
hearings  in  August  2001  on  the  Privacy  Rule.  Testimony  at  the  hearing  was  received 
from  a  cross-section  of  the  health  care  community,  including:  The  National  Committee 
for  Quality  Assurance  (NCQA);  Kaiser  Permanente;  the  Institute  for  Health  Freedom;  the 
Mayo  Foundation;  the  Health  Insurance  Association  of  America  (HIAA);  the  American 
Medical  Association  (AMA);  the  American  Pharmaceutical  Association  (APhA);  the 
American  Association  of  Health  Plans  (AAHP);  the  National  Association  of  Community 
Drug  Stores  (NACDS);  the  National  Association  of  Insurance  Commissioners  (NAIC); 
the  Association  of  American  Physicians  and  Surgeons  (AAPS);  the  Association  of 
American  Medical  Colleges  (AAMC);  and  the  Disease  Management  Association  of 
America  (DMAA).  While  each  organization  commended  the  overall  thrust  of  the  Privacy 
Rule,  each  voiced  concerns  about  the  Rule's  impact  from  its  own  perspective,  specifically 
focusing  on  the  consent  requirement  and  the  minimum  necessary  standard.  Based  on  the 
concerns,  each  organization  made  recommendations  to  best  alleviate  the  adverse  impacts 
of  the  Rule,  while  maintaining  the  Rule's  overarching  purpose. 

A.  Consent  Requirement  Concerns 


19 


While  each  organization  has  concerns  from  its  own  perspective,  they  can  be 
grouped  into  four  main  categories:  the  coercive  nature  of  the  consent  requirement;  the 
administrative  burden  of  the  consent  requirement;  the  broad  definition  of  health  care 
operations;  and  the  effects  of  revocation  of  consent. 

The  "coercive"  nature  of  the  consent  requirement.  "Informed  consent  describes  a 
condition  appropriate  only  when  data  providers  [patients]  have  a  clear  choice.  They  must 
not  be,  nor  perceive  themselves  to  be,  subject  to  penalties  for  failure  to  provide  the  data 
sought."60  The  consent  requirement  in  the  Privacy  Rule  does  not  meet  this  definition.  In 
fact,  it  specifically  states,  "A  covered  health  care  provider  may  condition  treatment  on  the 
provision  by  the  individual  of  a  consent. . ."  and  further  states,  "A  health  plan  may 
condition  enrollment  in  the  health  plan  on  the  provision  by  the  individual  of  a  consent 
under  this  section  sought  in  conjunction  with  such  enrollment."61  The  consent 
requirement  will,  therefore,  serve  to  "coerce"  prospective  patients  into  allowing  their  PHI 
to  be  used  and  disclosed  for  TPO. 

While  it  makes  sense  that  a  health  care  provider  would  need  access  to  a  patient's 
medical  record  in  order  to  treat  him  or  her,  the  "coercive"  nature  of  the  consent 
requirement  could  put  health  care  providers  in  an  adversarial  position  to  the  patient.  The 
main  concern  with  the  "coercive"  nature  of  the  consent  requirement  does  not  appear  to 
involve  the  relationship  to  uses  and  disclosures  for  either  treatment  or  payment  purposes; 
the  main  concern,  rather,  is  in  relation  to  uses  and  disclosures  for  health  care  operations. 

60  George  T.  Duncan,  Thomas  B.  Jabine,  and  Virginia  A.  de  Wolfe,  Private  Lives  and  Public  Policies: 
Confidentiality  and  Accessibility  of  Government  Statistics,  (Washington,  DC:  National  Academy  Press, 
1993)  quoted  in  Sue  Blevins,  Testimony.  National  Committee  on  Vital  and  Health  Statistics  Subcommittee 
on  Privacy  and  Confidentiality,  Washington  D.C.  21  August  2001.  24  Sep  2001 
http://www.ncvhs.hhs.gov/010821p4.htm. 

61  Final  Privacy  Rule,  supra  note  18,  at  35. 


20 


Ms.  Sue  Blevins,  President  of  the  Institute  for  Health  Freedom,  stated  in  her 
testimony  before  the  Subcommittee,  "The  rule  codifies  a  new  ethical  code  for  medical 
care  in  the  United  States:  individuals  now  may  be  denied  medical  treatment  for  failing  to 
share  personally  identifiable  information  for  purposes  of 'health  care  operations. .  ."62  The 
Hurley63decision  -  the  "No  Duty  Rule",  is  still  good  law:  "Physicians  are  not  obligated 
to  provide  care  to  a  particular  patient  unless  they  have  agreed  to  do  so."64  However,  the 
"No  Duty  Rule"  does  not  apply  to  hospital  treatment  in  many  cases  -  true  emergencies.65 
Ms.  Blevins'  remark  suggests  that  there  would  be  no  real  ethical  dilemma  where  a  person 
was  denied  medical  care  for  failing  to  share  PHI  for  treatment  or  payment  purposes.  The 
dilemma  centers  on  the  uses  and  disclosures  for  health  care  operations.  The  reason  that 
she  and  others  within  the  health  care  community  are  concerned  with  health  care 
operations  is  not  because  of  some  of  the  activities  that  make  up  health  care  operations, 
but  rather  because  of  its  broad  definition  given  to  it  in  the  Privacy  Rule. 

The  broad  definition  of  health  care  operations.  The  Privacy  Rule's  definition  of 
health  care  operations,  quoted  in  section  IV,  can  reasonably  be  seen  as  being  all- 
encompassing.  The  Final  Rule's  definition  includes  more  activities  than  in  the  Proposed 
Rule,66  and  these  definitional  add-ons  are  most  troubling  to  the  health  care  community. 
There  are  two  new  categories:  Business  planning  and  development  and  Business 
management  and  general  administrative  activities  of  the  entity.  The  latter  category  even 


62  Sue  A.  Blevins,  supra  note  60. 

63  Hurley  v.  Eddingfield,  59  N.E.  1058  (Ind.  1901) 

64  William  J.  Curran,  Mark  A.  Hall,  Mary  Anne  Bobinski,  David  Orentlicher,  Health  Care  Law  and  Ethics, 
5th  Edition,  Aspen  Law  &  Business,  1998,  p.  128. 

65  Id.  at  134. 

66  Final  Privacy  Rule  Preamble,  Part  I,  supra  note  38,  at  32. 


21 


includes  fundraising  (for  the  benefit  of  the  covered  entity)  and  marketing  activities  (of 
certain  services  to  individuals  served  by  the  covered  entity).67 

Several  organizations  within  the  health  care  community  voiced  specific  concern 
on  the  effect  that  the  definition  of  health  care  operations  would  have  on  patients’ 
"voluntarily"  consenting  to  the  use  of  their  PHI.  One  such  organization,  the  AMA,  stated 
in  its  testimony  before  the  Subcommittee  that  a  broad  definition  of  health  care  operations 
that  included  what  it  termed,  non-routine,  non-critical  activities  will  have  the  effect  of 
coercing  patients  to  consent  to  uses  and  disclosures  of  their  PHI  for  many  activities  that 
should  be  optional.68  Looked  at  from  the  patient's  perspective,  in  order  to  get  the  medical 
care  needed  for  a  given  ailment,  the  patient  not  only  needs  to  consent  to  the  medically 
necessary  uses  and  disclosures  of  his  or  her  PHI,  but,  if  he  or  she  really  wants  to  receive 
treatment,  he  or  she  will  also  have  to  consent  to  other  uses  and  disclosures  of  the  PHI  that 
have  no  bearing  on  his  or  her  medical  care,  such  as  fundraising  and  marketing  activities. 

The  Institute  for  Health  Freedom  introduced  another  concern  centering  on  the 
broad  definition  of  health  care  operations  —  the  possible  loss  of  protection  for  PHI  that 
goes  to  third  parties.  Several  health  care  operation  activities  will  be  undertaken  by  third 
parties.  The  Preamble  to  the  Final  Rule  specifically  states,  "Disclosures  for  health  care 
operations  may  be  made  to  an  entity  that  is  neither  a  covered  entity  nor  a  business 
associate  of  the  covered  entity."69  This  is  troubling  because,  as  stated  in  the  Final  Rule, 
"Once  protected  health  information  leaves  a  covered  entity  the  Department  [HHS]  no 


67  Id. 

68  Jacqueline  M.  Darrah,  MA,  JD,  "Consent  Issues  in  Implementation  of  the  'Standards  for  Privacy  of 
Individually  Identifiable  Information'."  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee 
on  Privacy  and  Confidentiality.  Washington  D.C.  21  Aug.  2001.  24  Sep  2001 
http://www.ncvhs.hhs.gov/0100821p6.htm. 

69  Final  Privacy  Rule  Preamble,  Part  I,  supra  note  38,  at  33. 


22 


longer  has  jurisdiction  under  the  statute  to  apply  protections  to  the  information."70 
Therefore,  not  only  does  the  Final  Rule  mandate  that  patients  consent  to  uses  and 
disclosures  of  their  PHI  for  purposes  to  include  health  care  operations  in  order  to  receive 
their  medical  care,  it  is  mandating  that  they  consent  to  blindly  letting  their  PHI  go  to  third 
parties  whom  the  DHHS  has  no  jurisdiction  over  and,  thus,  cannot  protect  their 
information. 

The  administrative  burden  of  the  consent  requirement.  When  patients  seek 
medical  care,  they  reasonably  expect  that  their  PHI  will  be  used  for  legitimate  purposes 
to  further  their  medical  care.  Mr.  Bruce  Kelly,  Director  of  Government  Relations  for 
Mayo  Foundation,  in  his  testimony  before  the  Subcommittee  for  Privacy  and 
Confidentiality,  listed  some  reasonable  patient  expectations  for  the  use  and  disclosure  of 
their  PHI: 

-  Patients  who  seek  treatment  expect  that  their  treatment  will  be  based 
on  accurate  and  complete  information,  available  to  all  the 
professionals  involved  in  their  treatment. 

-  Patients  expect  that  their  health  care  provider  will  rely  on  patient 
information  to  receive  payment  for  the  medical  services  delivered. 

-  Patients  expect  that  patient  information  will  be  used  by  providers  to 
fulfill  their  obligations  to  provide  quality  care  and  assure  patient  and 
employee  safety.71 

Mr.  Kelly  further  stated  that  requiring  prior  consent  for  the  use  and  disclosure  of 
PHI  will  do  nothing  to  change  these  expectations.  The  only  sure  result  of  the  consent 
requirement  is  the  creation  of  additional  "nuisance"  paperwork  and  create  problems  for 


70  Sue  A.  Blevins,  supra  note  60,  at  4. 

71  Bruce  Kelly,  Testimony,  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee  on  Privacy 
and  Confidentiality,  Washington  D.C.,  21  Aug.  2001.  24  Sep.  2001 
http://www.ncvhs.hhs.gOv/0 1082  lp3  .htm. 


23 


conscientious  health  care  providers.72  The  Healthcare  Leadership  Council,  in  a  letter  to 
Secretary  Tommy  G.  Thompson,  HSS,  wrote,  "Adding  yet  another  mandatory  form  to  the 
already  unmanageable  paperwork  burden  that  physicians  and  practitioners  face  on  a  daily 
basis  does  not  effectively  achieve  the  shared  goals  of  health  care  providers  and  HHS  to 
provide  patient  privacy  protection  and  access  to  health  care."73  The  Council  further  used 
Secretary  Thompson's  own  words  to  support  this  sentiment,  "Over-regulation  undermines 
quality  of  care  and  health  care  delivery  by  using  scarce  resources  unproductively.  We 
can  help  improve  patient  care  by  bringing  more  common  sense  into  the  regulatory 
process. .  .We  need  to  act  quickly  when  there  are  problems  with  our  regulations."74 

Several  organizations  in  the  health  care  community  voiced  concerns  about  the 
effects  of  the  administrative  burdens  of  the  consent  requirement  on  patient  care  and 
quality  assurance.  The  APhA  in  its  testimony  before  the  Subcommittee  voiced  concern 
about  the  consent  requirement  creating  an  administrative  and  financial  burden  that  will 
adversely  affect  patient  care.75  The  consent  requirement  erects  significant  barriers  to  the 
quick,  efficient,  and  safe  delivery  of  health  care  that  patients  count  on  pharmacists  to 
provide.  APhA  testimony  used  language  from  the  Proposed  rule,  which  lacked  the 
consent  requirement,  to  show  the  ill  effects  of  the  consent  requirement,  "According  to  the 
proposed  rule,  prior  consent  is  unworkable,  unrealistic,  and  would  not  provide 
meaningful  privacy  protection."76  A  delay  created  by  the  consent  requirement  can  cause 
patient  inconvenience  and  delay  access  to  necessary  treatment.  For  example,  "A  mother 

72  Id. 

73  Healthcare  Leadership  Council,  Letter  to  Secretary  Tommy  G.  Thompson,  U.S.  Department  of  Health 
and  Human  Services,  8  Feb.  2002.  23  Feb.  2002  http://www.hlc.org/html/2-08-02specgrpconst.html.  p.  1. 

74  Id. 

75  Ms.  Susan  C.  Winckler,  RPh„  JD,  Director  of  Policy  and  Advocacy  for  the  American  Pharmaceutical 
Association,  Testimony,  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee  on  Privacy  and 
Confidentiality,  21  Aug.  2001.  24  Sep.  2001  http://www.ncvhs.hhs.gov/010821p5.htm. 

76  Id.  at  2,  citing  64  Federal  Register  at  59,941. 


24 


with  an  ill  infant  will  not  be  able  to  pick-up  an  antibiotic  phoned-in  by  her  pediatrician 
until  she  arrives  at  the  pharmacy,  reads,  and  completes  the  consent  form."  Kaiser 
Permanente  in  its  testimony  before  the  Subcommittee  spoke  of  the  consent  requirement's 
effect  on  health  care  operations.  "No  health  care  information  in  our  systems  can  be 
lawfully  used  until  consent  is  obtained;  yet  we  have  no  practical  way  to  segregate  the 
data  for  members  who  have  consented  from  those  who  have  not. .  .All  existing  data  would 
have  to  be  either  blocked  or  archived."78  Kaiser  Permanente  noted  that  the  consent 
requirement  will,  thus,  have  a  detrimental  effect  on  quality  review,  provider 

7Q 

credentialing,  planning,  evaluation  of  drugs,  and  medical  devices. 

Another  concern  regarding  the  administrative  burden  of  the  consent  requirement 
is  its  effect  on  the  physician-patient  relationship.  The  Mayo  Foundation  believes  that  the 
"whole  model"  of  confronting  patients  when  they  enter  the  office  with  consent 
requirements  is  bad  medical  practice.  The  current  number  of  patient-completed  forms  for 
regulatory  purposes  is  already  quite  burdensome  to  patients  and  providers.  It  stated,  "The 
increasing  demand  placed  on  patients  will  likely  lead  to  hastily  completed  forms  and 
potentially  inaccurate  information  that  may  impair  the  goal  of  patient  care. .  .This 
immediate  obligation  for  the  patient  has  a  high  likelihood  of  damaging  the  physician- 
patient  relationship."80 

Because  consent  is  required  for  much  more  than  treatment  —  activities  that 
involve  the  use  of  medical  records  well  past  treatment,  such  as  quality  reviews  and 
adverse  medication  notifications,  the  consent  requirement  creates  a  large  burden, 

77  Id.  at  2. 

78  Ms.  Mary  Henderson,  National  HIPAA  Program  Director  for  Kaiser  Permanente,  Testimony,  National 
Committee  on  Vital  and  Health  Statistics  Regarding  the  HIPAA  Consent  Requirement,  p.  3. 

79  Id. 

80  Bruce  Kelly,  supra  note  71,  at  3. 


25 


especially  for  the  larger  organizations,  to  obtain  consents  from  not  only  those  patients 
who  are  currently  receiving  treatment,  but  also,  arguably,  from  all  former  patients  as 
well.  Kaiser  Permanente  has  8.2  million  current  members  and  over  35  million  former 
members  who,  under  the  consent  requirement  will  need  to  provide  consent  in  order  for 
Kaiser  Permanente  to  use  their  PHI  after  April  14,  2003.81  The  administrative  burden  of 
just  finding  the  members  and  former  members,  some  who  have  moved,  some  who  have 
married  and  changed  names,  and  some  who  have  died  is  mind-boggling.  Once  such 
individuals  are  found,  there  is  then  the  burden  of  obtaining  the  consent,  via  mail  most 
likely,  with  the  predictable  low  return  rate.  Kaiser  Permanente  stated  that,  even  for  the 
patients  coming  in  for  care,  there  will  be  a  significant  burden.  Given  the  managed  care 
environment,  physician-patient  appointment  times  are  already  critically  short.  Given  the 
number  of  its  members,  adding  just  one  minute  for  consent  to  the  Kaiser  Permanente 
medical  office  visit,  which  seems  quite  optimistic,  will  significantly  increase  staff 
workload  and  patient  wait  times.  As  an  example,  "Kaiser  Permanente  providers  in 
California  deliver  care  for  approximately  25  million  member  visits  per  year,  and  a  minute 
added  to  each  visit  registration  would  roughly  equal  420,000  hours  of  new  staff  workload 
that  would  need  to  be  supported  in  California  alone." 

The  effects  of  revocation  of  consent.  "Upon  receipt  of  the  written  revocation,  the 
covered  entity  must  stop  processing  the  information  for  use  or  disclosure,  except  to  the 
extent  that  it  has  taken  action  in  reliance  on  the  consent."83  While  revocation  of  consent 
will  likely  lead  to  the  termination  of  any  treatment,  its  effects  will  be  greatest  in  areas 


81  Ms.  Mary  Henderson,  supra  note  78,  at  2. 

82  Id.  at  6. 

83  Final  Rule  Preamble  II,  supra  note  36,  at  70. 


26 


such  as  notifications  for  adverse  medication  reactions,  quality  reviews,  and  health 
statistics. 

The  APhA  is  very  concerned  with  the  effects  of  revocation  of  consent.  According 
to  APhA,  in  situations  such  as  the  identification  of  a  contaminated,  counterfeit,  or 
ineffective  product,  urgent  notification  of  the  patient(s)  is  required.  For  example, 
"pharmacists  use  individually  identifiable  information  to  contact  patients  who  have 
received  a  specific  medication  that  is  the  subject  of  a  recall  by  the  Food  and  Drug 
Administration  (FDA)."84  Under  the  Final  Rule,  a  pharmacist  would  not  be  able  to 
contact  and,  thus,  warn  any  patients  who  may  have  revoked  their  consent.  In  the  last  year 
there  was  a  very  serious  case  where  patients  may  have  received  an  over-diluted 
chemotherapy  medication.85  Those  potentially  affected  patients  needed  to  be  notified 
immediately.  Revocation  of  consent,  in  that  case,  could  likely  have  caused  unneeded  loss 
of  life.  APhA  stated  that  situations  such  as  the  above  one  may  fit  the  exception  for 
emergency  situations,  but  further  stated,  "Any  hesitation  caused  by  concern  for 

86 

compliance  with  this  regulation  is  unacceptable  -  but  such  hesitation  could  occur." 

Hospitals  and  health  plans  use  medical  records  to  perform  quality  assessments 
and  peer  review.  Revocation  of  consent  would  render  that  patient's  medical  records  off 
limits  to  review,  and  thus  any  lessons  learned  from  that  patient's  care  would  be  lost.  The 
Mayo  Foundation  noted  that  a  patient  who  was  unhappy  with  a  medical  outcome  may  be 
the  most  likely  to  revoke  consent.  Therefore,  the  cases  that  would  be  of  greatest  benefit 


84 

85 

86 


Ms.  Susan 
Id. 

Id. 


C. 


Winckler,  supra  note  75,  at  2. 


27 


to  review  for  peer  review  and  quality  assurance  purposes,  may  be  the  cases  where  access 
to  PHI  has  been  revoked.87 

The  NCQA  voiced  concern  about  the  effects  revocation  of  consent  would  have  on 
the  health  plans'  ability  to  perform  key  functions.  It  testified  before  the  Subcommittee  on 
Privacy  and  Confidentiality  that  prohibiting  health  care  providers  from  disclosing  an 
individual's  PHI  would  adversely  impact  their  ability  to  perform  quality  and  utilization 
reviews.88  NCQA  believes  that  this  would  result  in  limiting  health  plans  to  merely 
performing  finance  and  insurance  functions.  They  would,  therefore,  lose  their  unique 
capacity  to  "marshal"  their  considerable  resources  in  advancing  quality  health  care.89 

Another  area  where  access  to  medical  records  is  essential  is  in  the  compilation  of 
health  statistics.  Such  statistics  play  a  vital  role  in  assessing  the  requirements  of  future 
medical  services  and  in  assessing  the  incidence  rate  of  diseases.  Kaiser  Permanente 
noted  that,  in  order  to  provide  Medicare  services,  it  is  necessary  to  use  data  from  the  past 
four  to  five  years  to  plan  for  upcoming  coverage  years.  "It  is  essential  for  continuing  and 
future  members  for  the  plan  to  use  that  information  to  determine  what  kind  of  facilities 
are  likely  to  be  necessary,  what  kinds  of  diseases  and  treatments  need  to  be  considered, 
and  the  number  and  kinds  of  physicians  and  other  health  care  providers  to  whom 
members  will  need  access."90  Incidence  rates,  cure  rates,  and  other  vital  statistics  are 
routinely  gathered  on  a  myriad  of  diseases  to  assess  public  health  threats  and 
advancements.  Such  statistics  are  vital  in  assessing  health  risks  as  well  as  prognoses  for 


87  Bruce  Kelly,  supra  note  71,  at  3. 

88  Sharon  King  Donohue,  General  Counsel  of  the  National  Committee  for  Quality  Assurance,  Testimony, 
National  Committee  for  Quality  Assurance,  Subcommittee  on  Privacy  and  Confidentiality,  21  Aug.  2001. 
24  Sep.  2001  http://www.ncvhs.hhs.gov/010821p2.htm,  p.  4. 

89  Id. 

90  Susan  Winckler,  supra  note  75,  at  8. 


28 


certain  diseases.  Revocation  of  consent  could  wreak  havoc  with  these  statistics.  Records 
for  which  there  has  been  a  revocation  of  consent  cannot  be  used  in  statistical  data; 
therefore,  the  accuracy  of  the  statistics  will  be  adversely  affected.  Inaccurate  statistics 
could  then  lead  to  misallocations  of  resources  for  future  medical  services,  causing  health 
care  costs  to  further  escalate. 

Other  concerns.  One  of  the  stated  goals  of  HIPAA  Administrative  Simplification 
is  to  improve  the  efficiency  and  effectiveness  of  the  health  care  system  by  encouraging 
the  development  of  electronic  health  information  systems.  Ironically,  according  to  Kaiser 
Permanente,  the  consent  requirement  is  likely  to  be  easiest  to  administer  by  a  single-site 
health  care  provider  that  uses  paper  records.  For  larger  organizations,  such  as  health  care 
systems,  who  have  multiple  sites,  the  process  of  obtaining  the  consent,  storing  it,  tracking 
it,  and  updating  its  status  will  be  very  onerous.91 

Finally,  health  care  providers  feel  they  will  be  placed  in  an  untenable  position  by 
the  consent  requirement.  "The  right  of  a  provider  to  condition  treatment  upon  the  patient 
giving  written  consent  is  often  meaningless  within  the  ethical  practice  of  medicine.  In 
many  circumstances,  the  health  care  provider  is  under  an  ethical  obligation,  and  often  a 
legal  obligation,  to  render  the  proper  care  when  necessary,  even  if  a  patient  refuses  to 
sign  a  form."92  In  a  situation  where  a  patient  revokes  consent  during  hospitalization,  the 
health  care  provider  would  be  ethically  and  legally  obligated  to  continue  treatment; 
however,  in  order  to  comply  with  the  Privacy  Rule,  he  or  she  would  have  to  do  so 
without  the  aid  of  the  patient's  PHI  (medical  record).93 


91  Mary  Henderson,  supra  note  78,  at  2. 

92  Bruce  Kelly,  supra  note  71,  at  2. 

93  Id. 


29 


B.  Consent  Requirement  Recommendations 

The  organizations  in  the  health  care  community  did,  indeed,  make  their  concerns 
known  to  the  Subcommittee;  however,  they  went  a  significant  step  further  by  providing 
the  Subcommittee  a  myriad  of  recommendations  on  how  to  improve  the  Privacy  Rule  as 
it  pertains  to  the  consent  requirement.  The  recommendations  ranged  from  complete 
deletion  of  the  consent  requirement  to  several  alternatives  for  modifying  the  consent 
requirement,  including  the  changing  of  key  definitions,  restricting  the  consent 
requirement  to  routine  and  necessary  purposes,  and  restricting  the  consent  requirement  to 
uses  other  than  routine  or  necessary  purposes. 

Deletion  of  consent  requirement.  It  is  reasonable  to  assume  that,  when  a  person 
seeks  medical  care,  he  or  she  understands  that  his  or  her  PHI  will  be  necessary  for  TPO, 
especially  for  treatment  and  payment  purposes.  With  this  assumption  in  mind,  several 
organizations  recommended  complete  deletion  of  the  consent  requirement  from  the 
Privacy  Rule.  Each  organization  gave  its  own  rationale  for  recommending  deletion  of  the 
consent  requirement. 

The  Mayo  Foundation  recommended  that  the  consent  requirement  be  deleted  from 
the  Privacy  Rule  essentially  because  patients  reasonably  expect  their  PHI  to  be  used  for 
TPO  purposes.  In  contrast,  Kaiser  Permanente  recommended  deletion  of  the  consent 
requirement  because  it  is  coercive.  Its  conclusion  was  aided  by  HHS's  stated  purpose  for 
not  putting  the  consent  requirement  into  Proposed  Rule,  "In  the  NPRM,  we  expressed 
concern  about  the  coercive  nature  of  consents  currently  obtained  by  providers  and  plans 
relating  to  the  use  and  disclosure  of  health  information."94  Though  HHS  put  the  consent 
requirement  in  the  Final  Rule,  it  again  stated  concern  about  the  coercive  nature  of  the 
94  Final  Privacy  Rule,  Preamble,  Part  I,  supra  note  38,  at  27. 


30 


consent  requirements.95  It  also  reasoned  that  the  consent  requirement  could  be  deleted 
because  the  Final  Rule  already  provided  other  meaningful  tools  that  will  serve  to  protect 
an  individual's  medical  privacy.96 

The  NCQA,  concerned  that  the  consent  requirement  at  the  provider  level  may 
obstruct  health  plan  access  to  information  needed  to  support  vital  quality  of  care 
measures,  recommended  that  the  original  provisions  of  the  Proposed  Rule  be  adopted. 
This  would  allow  health  care  providers  to  use  and  disclose  PHI  for  TPO  without  having 
to  obtain  consent.  NCQA  emphasized  that  the  notice  requirement  should  be 
maintained.97  The  notice  requirement  will  ensure  that  individuals  are  apprised  of  the  uses 
and  disclosures  of  their  PHI,  while  avoiding  the  administrative  burden  of  the  consent 
requirement.  The  Healthcare  Leadership  Council  joined  the  NCQA  in  this 
recommendation. 98 

The  APhA  also  recommended  adoption  of  the  Proposed  Rule's  provisions.  This 
would  help  health  care  providers  and  patients  to  better  distinguish  between  activities  that 
could  be  undertaken  without  any  consent  (TPO)  and  other  activities  requiring  written 
authorization,  such  as  fundraising.99 


95  Id.  "While  our  concern  about  the  coerced  nature  of  these  consents  remains,  many  comments  that  we 
received  from  individuals,  health  care  professionals,  and  organizations  that  represent  them  indicated  that 
both  patients  and  practioners  believe  that  patient  consent  is  an  important  part  of  the  current  health  care 
system  and  should  be  retained." 

96  Mary  Henderson,  supra  note  78,  at  2.  The  other  tools  are:  1)  precise  limits  on  the  allowable  uses  and 
disclosures  of  PHI;  2)  a  notice  provision;  3)  specific  written  authorizations  for  other  uses  outside  of  TPO; 
and  4)  sanctions  for  misuse  of  PHI. 

97  Sharon  King  Donohue,  supra  note  88,  at  4. 

98  Healthcare  Leadership  Council,  Letter  to  Secretary  Tommy  G.  Thompson,  U.S.  Department  of  Health 
and  Human  Services,  8  Feb.  2002.  23  Feb  2001  http://wwwhlc.org/html/2-08-02specgrpconst.html. 

99  Susan  C.  Winckler,  supra  note  75,  at  5. 


31 


Modifications  to  the  Consent  Requirement.  In  lieu  of  deleting  the  entire  consent 


requirement  from  the  Privacy  Rule,  several  organizations  recommended  modifications 
that  would  alleviate  their  concerns  with  the  consent  requirement. 

The  AM  A  strongly  recommended  narrowing  the  definition  of  health  care 
operations.  The  definition  should  be  narrowed  to  include  only  routine  and  necessary 
purposes.  The  AMA  believes  that  it  would  be  appropriate  for  health  care  providers  to 
condition  medical  treatment  or  for  health  plans  to  condition  enrollment  on  the  patient's 
consent  to  use  or  disclosure  of  PHI,  but  only  as  it  relates  to  TPO  with  the  narrow 
definition  of  health  care  operations.100  The  AMA  recommends  that  authorization,  in  lieu 
of  consent,  be  required  for  non-critical,  non-routine  uses  and  disclosures  of  PHI.  The 
narrowing  of  the  definition  of  health  care  operations  is  critical,  especially  in  the  event 
that  the  consent  requirement  is  deleted  in  its  entirety.101  Otherwise,  in  the  event 
authorization  requirements  were  not  modified  to  include  the  non-routine,  non-critical 
uses  and  disclosures,  an  individual's  PHI  will  be  freely  subject  to  uses  and  disclosures  by 
health  care  providers,  health  plans,  and  even  third  parties  for  purposes  beyond  that 
reasonably  contemplated  by  an  individual. 

The  Mayo  Foundation,  as  an  alternative  to  deleting  the  consent  requirement, 
recommended  that  "Records  created  before  implementation  of  this  rule  should  be  exempt 
from  the  consent  requirement  until  a  patient  encounter  occurs  after  the  implementation  of 
this  rule."102  The  alternative  recommendation  would  greatly  lessen  the  administrative 
burden  of  locating  and  contacting  an  organization's  entire  patient  population,  which  was  a 
great  concern  for  larger  organizations. 


100  Jacqueline  M.  Darrah,  supra  note  68,  at  4. 

101  Id. 

102  Bruce  Kelly,  supra  note  71,  at  2. 


32 


Kaiser  Permanent,  as  an  alternative  to  the  complete  deletion  of  the  consent 
requirement,  recommended  seven  measures  to  aid  in  lessening  the  negative  impact  of  the 
HIPAA  consent  requirement: 

-  Allow  continued  use  of  the  data  collected  before  the  April  14,  2003 
compliance  deadline  and  require  consent  only  for  data  collected  after 
that  date. 

-  Allow  use  and  disclosure  of  data  collected  before  revocation  for 
continuing  TPO. 

-  Allow  the  continued  use  of  data  until  a  patient  makes  a  physical 
appearance  and  is  able  to  sign  a  consent  form. 

-  Make  the  HIPAA  consent  requirement  inapplicable  to  states  that  have 
statutory  authorization  for  the  use  and  disclosure  of  PHI. 

-  Defer  the  consent  requirement  for  five  years.  Then  assess  whether  the 
other  HIPAA  tools  provide  adequate  protection. 

-  Reconcile  conflicting  laws,  such  as  those  that  do  not  permit 
disenrollment  upon  the  revocation  of  consent. 

-  Rely  on  parental  consent  for  a  child  who  reaches  the  age  of  majority  until 
that  new  adult  comes  in  for  care.103 

Kaiser  Permanente's  alternatives  would  lessen  the  administrative  burden  of  the  consent 
requirement  as  well  as  the  effects  of  revocation.  Specifically,  they  would  allow  for  the 
continued  use  of  PHI  whose  uses  and  disclosures  had  either  been  consented  to  or  had 
been  used  and  disclosed  prior  to  the  compliance  date  of  the  Privacy  Rule.  This  would 
allow  for  uninterrupted  care,  and  would  allow  health  plans  to  continue  to  obtain  the 
needed  information  for  quality  and  utilization  reviews. 

The  APhA,  as  an  alternative  to  deleting  the  consent  requirement,  recommended 
several  possible  modifications.  First,  it  recommended  that  the  Rule  be  modified  so  that 
the  very  act  of  presenting  a  prescription  to  the  pharmacy  (in  person  or  via  telephone  or 


103  Id.  at  3,4. 


33 


computer)  qualifies  as  implied  consent.104  This  recommendation  would  serve  to  alleviate 
the  administrative  burden  of  obtaining  consent  and  any  adverse  effects  that  the  consent 
requirement  (either  in  its  attainment  or  in  its  revocation)  would  have  on  patient  care  and 
notification  of  adverse  medication  incidences.  It  next  recommended  that  the  word, 
"prior"  be  deleted  from  the  consent  requirement.  This  would  not  alleviate  the 
administrative  burden  of  the  consent  requirement,  but  it  would  minimize  any  disruptions 
in  the  provision  of  health  care.  APhA  also  recommended  allowing  one  consent  form  to 
cover  all  TPO  for  any  and  all  covered  entities.105  This  modification  would  serve  to 
reduce  the  administrative  burden  of  the  consent  requirement,  and  would  allow  for 
smoother,  more  efficient  medical  care.  Physicians  would  be  able  to  disclose  information 
to  another  physician  or  pharmacist  who,  in  turn  could  use  the  PHI  for  TPO.  Finally, 
APhA  recommended  that  the  compliance  date  be  delayed  until  two  years  after  the  release 
of  the  final  modifications.106  HHS  has  indicated  that  further  modifications  would  be 
released,  which  has  created  some  uncertainty  as  to  what  final  requirements  will  be.  The 
recommended  delay  would  allow  covered  entities  sufficient  time  to  ensure  compliance 
with  the  Rule. 

C.  Minimum  Necessary  Standard  Concerns 

While  each  organization  had  concerns  from  its  perspective,  looking  to  them  as  a 
whole,  their  concerns  can  be  grouped  into  three  main  categories:  the  vagueness  and 
ambiguity  of  the  minimum  necessary  standard;  the  prejudicial  nature  of  partial 
information;  and  the  effects  the  minimum  necessary  standard  may  have  on  quality  health 
care. 


104  Id. 

105  Id. 

106  Id. 


34 


The  vagueness  and  ambiguity  of  the  minimum  necessary  standard.  In  July  2001 
HHS  released  guidance  on  the  minimum  necessary  standard  which  stated  that  it  expected 
covered  entities  to  exercise  "substantial  discretion  as  to  how  to  implement  the  minimum 
necessary  standard,  and  appropriately  and  reasonably  limit  access  to  the  use  of 
identifiable  health  information. .  ."I07  The  guidance  further  stated  that  the  standard 
"requires  covered  entities  to  make  their  own  assessment  of  what  PHI  is  reasonably 
necessary  for  a  particular  purpose,  given  the  characteristics  of  their  business  and 
workforce,  and  to  implement  policies  and  procedures  accordingly.108  As  brought  out  in 
the  guidance,  the  Minimum  Necessary  standard  does  not  provide  specific  steps  to  follow 
for  adherence;  rather,  it  provides  a  very  general  framework  and  places  great  discretion  on 
covered  entities.  HIAA,  NCQA,  AAHP,  and  AAPS  voiced  concerns  before  the 
Subcommittee  on  Privacy  and  Confidentiality  regarding  the  vagueness  and  ambiguity  of 
the  Minimum  Necessary  standard. 

HIAA  testified  that,  because  of  the  inherent  vagueness  of  the  Minimum  Necessary 
standard,  there  may  be  defensive  restrictions  on  the  flow  of  PHI  between  providers  and 
health  plans.109  The  flexibility  of  the  standard,  according  to  HIAA,  introduces  a  great 
deal  of  uncertainty  regarding  what  measures  are  necessary  in  order  to  comply  with  the 
regulation.  HIAA  fears  that  with  this  uncertainty  comes  legal  risk;  it  is  concerned  that 
covered  entities,  seeking  to  minimize  exposure  to  liability,  will  err  on  the  side  of  being 


107  U.S.  Department  of  Health  and  Human  Services,  Office  of  Civil  Rights,  "Standards  for  Privacy  of 
Individually  Identifiable  Health  Information,"  6  Jul.  2001,  cited  in  Henry  R.  Desmarais,  MD,  MPA,  "The 
'Minimum  Necessary'  Standard  under  the  HIPAA  Privacy  Regulation."  National  Committee  on  Vital  and 
Health  Statistics,  Subcommittee  on  Privacy  and  Confidentiality,  Washington  D.C.,  22  Aug.  2001,  24  Sep. 
2001  http://www.ncvhs.hhs.gov/010822pl.htm. 

108  Id.,  at  3. 

109  T A  O 


35 


overly  restrictive.110  The  resultant  diminished  availability  of  information  may  likely 

adversely  impact  the  quality  and  affordability  of  health  care.111 

NCQA  testified  that  the  ambiguity  of  the  standard  coupled  with  the  fear  of 

enforcement  action  will  limit  the  flow  of  information,  which  in  turn  will  adversely  effect 

••112 

quality  assurance  measures,  disease  management,  and  accreditation. 

AAHP  warns  that  vagueness  and  ambiguity  of  the  minimum  necessary  standard 
will  lead  the  plaintiffs  bar  to  use  the  standard  as  a  weapon.113  It  states  that  covered 
entity's  deliberations  will  be  overshadowed  by  concern  about  any  enforcement  action. 
This  concern  is  fueled  by  "the  potential  for  class  action  litigation,  the  creativity  of  the 
plaintiffs  bar  in  seeking  causes  of  action  and  the  current  hostile  climate  that  exists  for 
managed  care  companies.114 

AAPS  feels  that,  because  the  minimum  necessary  standard  is  basically  undefined, 
it  is,  therefore,  unenforceable.115  It  states  that  physicians  will  be  "forced  into  a  game  of 
regulatory  roulette,  guessing  what  standard  to  follow  without  a  final  authority  or  even 
advisory  opinion,  while  being  subject  to  criminal  penalties  if  they  guess  wrong."116 

The  concern  about  the  liability  risk  due  to  the  vagueness  and  ambiguity  of  the 
Minimum  Necessary  standard  seems  to  be  misplaced.  HHS,  itself,  stated  that  its  intent  is 
for  covered  entities  to  exercise  "substantial  discretion"  in  the  implementation  of  this 


110  Id.  at  3. 

111  Id. 

112  Sharon  King  Donohue,  supra  note  88,  at  5. 

113  Kenneth  W.  Fody,  "The  ’Minimum  Necessary'  Use  and  Disclosure  of  Protected  Health  Information", 
National  Committee  on  Vital  and  Health  Statistics,  Subcommittee  on  Privacy  and  Confidentiality, 
Washington  D.C.,  22  Aug.  2001,  24  Sep.  2001  http://www.ncvhs.hhs.gov/010822p3.htm. 

114  Id. 

115  Kathryn  Serkes,  Testimony,  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee  on 
Privacy  and  Confidentiality,  Washington  D.C.,  22  Aug.  2001,  24  Sep.  2001 
http://ncvhs.hhs.gov/01 0822p5  .htm. 

116  Id. 


36 


standard.  It  purposefully  allows  covered  entities  to  make  their  own  assessment  of  what 
PHI  is  needed  for  a  given  purpose.  HHS  does,  however,  provide  a  framework  to, 
perhaps,  guide  a  covered  entity  in  its  assessment  of  what  is  reasonably  necessary.  The 
Preamble  provides  the  following  reasonableness  factors: 

-  The  extent  to  which  the  use  or  disclosure  would  extend  the  number  of 
persons  with  access  to  the  protected  health  information. 

-  The  likelihood  that  further  uses  or  disclosures  of  the  protected  health 
information  could  occur. 

-  The  amount  of  protected  health  information  that  would  be  used  or 
disclosed. 

-  The  importance  of  the  use  or  disclosure. 

-  The  potential  to  achieve  substantially  the  same  purpose  with  de- 
identified  information. 

-  The  technology  available  to  limit  the  amount  of  protected  health 
information  used  or  disclosed. 

-  The  cost  of  limiting  the  use  or  disclosure. 

-  Any  other  factors  that  the  covered  entity  believed  were  relevant  to  the 

J  •  •  117 

determination. 

Because  of  this,  the  risk  of  enforcement  action  coming  directly  from  HHS  appears  to  be 

low.  Further,  there  is  no  private  right  of  action  provided  for  in  the  Act.  However, 

individuals  may  have  other  avenues  for  redress.  In  fact,  the  Privacy  Rule  provides 

118 

individuals  the  right  to  file  a  complaint  that  will  initiate  an  investigation  by  HHS. 
Additionally,  an  individual  could  file  suit  for  medical  malpractice  for  breach  of  the 
standards  found  in  the  Privacy  Rule,  although  to  prevail,  he  would  have  to  prove  breach 
of  the  standard  within  the  medical  community.  Based  on  the  flexibility  of  the  Minimum 

117  Final  Rule  Preamble,  Part  II,  supra  note  36. 

118  Final  Privacy  Rule,  supra  note  18,  at  45  CFR  §  160.306,  11. 


37 


Necessary  standard,  it  would  be  difficult  to  ascertain  a  specific  standard  in  the  medical 
community  upon  which  to  base  a  breach.  Therefore,  the  likelihood  of  success  in  the 
medical  malpractice  arena  also  seems  low.  Although  the  actual  risk  of  liability  may  be 
low,  the  fact  that  many  in  the  health  care  community  are  concerned  about  it  may  likely 
result  in  overly  cautious  limitations  on  the  use  and  disclosure  of  medical  records. 

While  the  concerns  of  liability  risk  may  be  misplaced,  other  following  concerns 
based  on  the  vagueness  and  ambiguity  of  the  Minimum  Necessary  standard,  are  better 
founded. 

Misplaced  discretion  may  limit  usefulness  of  information.  HIAA  feels  that  the 
standard  inappropriately  places  the  discretion  on  the  covered  entity  receiving  requests  for 
information.  It  testified  that,  "Only  the  entity  making  a  request  for  information  has  an 
informed  basis  for  determining  whether  the  information  is  the  minimum  necessary  for  its 
purposes"  and  further  stated,  "This  aspect  of  the  standard  almost  certainly  will  lead  to 
inappropriate  restrictions  on  the  disclosure  of  health  information."119 

AAHP  noting  the  discretion  concern  stated,  "The  problem  is  that  the  PHI  that 
Covered  Entity  A  needs  is  not  the  same  PHI  that  Covered  Entity  B  believes  is  necessary 
to  perform  the  same  operation."120  They  further  state  that  the  receiving  entity  is  inclined 
to  be  conservative  since  it  does  not  need  the  information,  but  would  likely  be  worried 
about  potential  liability  if  the  information  is  later  misused.121  AAHP  notes  that  the 
Privacy  Rule  does  provide  that  a  covered  entity  may  rely  on  a  request  for  information 
from  another  covered  entity  if  that  reliance  is  reasonable  that  the  information  is  the 


119  U.S.  Department  of  Health  and  Human  Services,  supra  note  107,  at  3. 

120  Kenneth  W.  Fody,  supra  note  113,  at  3. 

121  Id. 


38 


minimum  necessary  for  the  stated  purpose.  However,  it  points  out  that  the  Privacy  Rule 

122 

leaves  room  for  entities  to  disagree  over  reasonableness  of  the  request. 

Minimum  necessary  standard  may  be  used  to  shield  information.  HIAA  testified 
that  it  is  concerned  that  the  minimum  necessary  standard  may  be  used  to  shield  "wasteful, 
abusive,  and  fraudulent  activities."123  Because  of  the  subjectivity  of  the  standard,  it  will 
be  easy  for  "bad  actors"  to  use  the  standard  to  justify  withholding  information  that  would 
provide  evidence  of  "upcoding,  misdiagnosis,  over-treatment,  or  outright  fraud."124 
HIAA  noted  that  the  General  Accounting  Office  (GAO)  has  estimated  that  as  much  as  ten 
percent  of  the  nation's  expenditure  for  health  care  is  attributable  to  fraudulent  and  or 
abusive  activities.123 

Administrative  burden  of  the  minimum  necessary  standard.  NCQA  testified 

before  the  Subcommittee  that  defining  what  is  the  "minimum  necessary"  for  all  potential 

uses  and  disclosures  relevant  to  certain  health  care  operations  will  be  difficult  and 

administratively  burdensome.126  It  will  be  especially  difficult  for  health  plans  performing 

quality  assurance  measures  to  determine  what  PHI  is  relevant  to  a  certain  task  without 

having  access  to  and  reviewing  the  entire  medical  record.127  As  an  example,  "attempting 

to  appropriately  match  a  plan's  disease  management  program  to  an  enrollee  without 

complete  knowledge  of  the  individual's  current  medical  condition  and  related  or 

128 

secondary  illnesses  would  be  impossible. 


122  Id. 

123  Henry  R.  Desmarais,  supra  note  107,  at  3. 

124  Id. 

125  Id.  at  4. 

126  Sharon  King  Donohue,  supra  note  88,  at  5. 

127  Id. 

128^ 


39 


A  report  prepared  by  the  First  Consulting  Group  for  the  American  Hospital 
Association  on  the  impact  of  the  HIPAA  Final  Privacy  Rule  noted  that  a  significant 

129 

change  in  the  Final  Rule  from  the  Proposed  Rule  is  the  inclusion  of  paper-based  PHI. 
This  change  greatly  expands  the  "scope  of  the  investigation"  necessary  to  satisfy  the 
minimum  standard.130 

The  prejudicial  nature  of  partial  information.  AAPS  warns  that  the  "minimum 
necessary"  information  might  be  just  as  prejudicial,  if  not  more  so,  than  a  person's  entire 
medical  record.131  An  example  of  this  prejudicial  tendency  is,  "the  presence  of  a 
diagnostic  code  for  anxiety  or  depression  could  be  prejudicial,  whereas  an  understanding 
of  the  likely  nonrecurring  circumstances  and  the  response  to  treatment  would  show  the 
patient's  generally  excellent  mental  status."132  AAPS  notes  that  patients  should 
understand  that  the  minimum  necessary  standard  bears  little  relationship  to  the  potential 
harm  from  disclosure.  Rather,  information  is  more  likely  to  be  segregated  by  type  than 
by  sensitivity.133  For  example,  "The  very  fact  that  a  laboratory  test  (such  as  a  drug 
screen)  was  done  may  be  prejudicial  even  though  the  test  was  negative  and  was  required 
because  of  a  job  requirement  not  because  of  suspected  drug  abuse. .  .The  requester  of  the 
information  may  actually  have  no  need  to  know  about  it,  even  though  a  categorical 
request  for  lab  tests  was  made."134 


129  First  Consulting  Group,  Report  on  the  Impacts  of  the  HIPAA  Final  Privacy  Rule  on  Hospitals,  March 

2001,11. 

130  Id.  at  12. 

131  Kathryn  Serkes,  supra  note  1 15,  at  3. 

132  Id. 

133  JA  c 


40 


D.  Minimum  Necessary  Standard  Recommendations 

Based  on  the  above  concerns,  organizations  in  the  health  care  community  made 
recommendations  for  the  Minimum  Necessary  standard  ranging  from  deleting  it  in  its 
entirety  from  the  Privacy  Rule  to  making  various  modifications  to  it. 

Deletion  of  Minimum  Necessary  Standard.  HIAA  and  the  Healthcare  Leadership 
Council  both  recommend  deletion  of  the  Minimum  Necessary  standard  from  the  Privacy 
Rule.  HIAA  made  its  recommendation  before  the  Subcommittee  in  August  2001,  the 
Healthcare  Leadership  Group  made  its  recommendation  in  a  letter  to  HHS  in  March 
2001. 

HIAA  recommends  deletion  of  the  standard  based  on  its  belief  that  other  parts  of 
the  Rule  adequately  protected  PHI.135  The  Privacy  Rule,  even  without  the  Minimum 
Necessary  standard,  contains  considerable  restrictions  on  the  amount  and  types  of 
information  that  can  be  used  and  disclosed  by  covered  entities.  HIAA  believes  those 
restrictions  are  more  susceptible  to  objective  and  consistent  application  by  covered 
entities  than  the  Minimum  Necessary  standard.136  Using  a  more  objective  standard  will 
relieve  the  concerns  of  vagueness  and  misplaced  discretion.  Two  elements  that  serve  to 
protect  PHI  are  the  authorization  requirement  and  the  notice  requirement.  A  core 
principle  of  the  Privacy  Rule  is  that  a  covered  entity  may  not  use  or  disclose  PHI  for 
purposes  other  than  TPO,  and  certain  other  limited  purposes,  without  first  obtaining  a 
written  authorization  from  the  individual.137  Additionally,  the  Rule  requires  that  any  use 


135  Henry  R.  Desmarais,  supra  note  107,  at  2. 

136  Id.  at  5. 

137  Id. 


41 


or  disclosure  of  PHI  by  a  covered  entity  must  be  consistent  with  those  provided  in  the 
covered  entity's  notice  of  privacy  practices,  which  must  be  provided  to  each  individual. 

The  Healthcare  Leadership  Council's  recommendation  to  delete  the  Minimum 
Necessary  standard  is  based  on  its  belief  that  it  is  unnecessary.  It  noted  that  the 
Minimum  Necessary  standard  specifically  stated  that  it  does  not  apply  to  the  disclosure  of 
PHI  for  treatment  and  that,  from  this,  it  can  reasonably  be  implied  that  the  standard  does 
apply  to  the  use  of  information  for  treatment  purposes.  The  Healthcare  Leadership 
Council  believes  the  restriction  on  use  is  not  only  unnecessary  and  a  waste  of  resources, 
but  also  potentially  dangerous.140  If  HHS  intended  for  uses  for  treatment  to  be  excluded 
from  the  minimum  necessary  standard  as  disclosures  for  treatment  are,  the  Healthcare 
Leadership  Council  recommends  making  that  clear  in  the  Rule.141 

Modifications  to  the  minimum  necessary  standard.  Each  of  the  modifications 
recommended  by  organizations  in  the  health  care  community  attempts  to  create  more 
certainty  and  objectivity  in  the  minimum  necessary  standard  with  the  ultimate  aim  of 
reducing  the  risk  of  liability. 

Mr.  Ken  Fody,  AAHP,  to  demonstrate  the  confusion  generated  by  the  minimum 

necessary  standard,  related  this  story: 

On  Monday,  April  16,  the  first  business  day  after  Secretary  Thompson 
announced  that  the  privacy  rule  would  be  adopted  as  planned,  I 
learned  that  a  doctor  was  refusing  to  allow  a  team  from  my  company 
to  perform  a  HEDIS  review.  The  reason:  the  HIPAA  privacy  rule 
prohibited  the  doctor  from  releasing  the  information.  I  received  three 
more,  identical  phone  calls  within  the  next  two  weeks.  I  do  not  know 
how  many  times  that  situation  has  repeated  since  then  because  I 

138  Id. 

139  Healthcare  Leadership  Council,  Letter  to  U.S.  Department  of  Health  and  Human  Services,  29  Mar. 
2001,3. 

140  Id. 

141  T  A  1  'l 


42 


crafted  a  standard  letter  for  providers  pointing  out,  among  other  things, 
that  the  privacy  rule  is  not  effective  for  two  years.  If  there  is 
confusion  over  something  as  simple  as  the  implementation  date, 
imagine  the  potential  for  confusion  and  conflict  when  we  get  to  the 
substance  of  the  rule.142 

AAHP,  therefore,  recommended  to  the  Subcommittee  on  Privacy  and 
Confidentiality,  with  the  aim  of  making  the  standard  less  ambiguous  and  minimizing 
liability,  that  the  Privacy  Rule  be  modified  to  do  the  following: 

-  clarify  that  covered  entities  may  develop  broadly  worded  policies  and 
procedures  for  categories  of  operations; 

-  prevent  disputes  between  covered  entities  by  encouraging  a  covered 
entity  receiving  a  request  from  another  covered  entity  to  rely  on  that 
request; 

-  clearly  indicate  the  standard  of  conduct  established  for  a  covered  entity 
and  the  extent  of  a  covered  entity's  discretion; 

-  establish  that  the  minimum  necessary  requirement  does  not  apply  to  uses 
of  information  that  has  been  obtained  from  another  covered  entity; 

-  clarify  that  a  covered  entity's  organization,  procedures  and  information 
infrastructure  are  factors  to  be  considered  in  determining  what 
information  is  necessary,  and  that  covered  entity's  therefore  may 
develop  different  policies  and  procedures  for  the  same  types  of 
operations;  and 

-  clearly  indicate  that  a  covered  entity  has  satisfied  the  minimum 
necessary  requirement  if  it  has  identified  the  information  that  it 
reasonably  believes  to  be  necessary  for  the  task  at  hand,  even  if  that 
information  is  not  actually  used.143 

AAPS,  in  an  effort  to  clarify  the  standard  and  reduce  any  ambiguities, 
recommended  that  HHS  make  a  list  of  circumstances  for  which  the  minimum  necessary 
standard  applies  and  those  circumstances  for  which  it  does  not.144  AAPS  also 
recommended  that  all  requests  for  PHI  should  either  be  for  a  copy  of  the  medical  record 


142  Kenneth  W.  Fody,  supra  note  1 13,  at  5. 

143  Id. 

144  Kathryn  Serkes,  supra  note  1 15,  at  6. 


43 


within  certain  parameters  (date,  type  of  information),  or  for  a  specified  set  of  information 
to  be  provided  from  the  record.145  AAPS  believes  this  to  be  a  more  workable  standard. 

"It  requires  no  omniscient  person  fully  cognizant  of  the  content  of  the  record,  the  needs 
of  the  requestor,  and  the  mindset  of  the  enforcer."146  This  recommendation  would 
certainly  serve  to  minimize  any  ambiguities  in  the  minimum  necessary  standard. 

NCQA,  in  an  effort  to  ensure  the  free  flow  of  information  to  health  plans  for 
quality  enhancing  activities,  recommended  that  the  minimum  necessary  standard  exempt 
from  its  coverage:  quality  assurance,  performance  evaluations,  accreditation  activities, 
and  other  similar  health  care  operations.147  NCQA  believes  that  otherwise,  given  the 
ambiguity  of  the  standard,  there  is  no  assurance  that  covered  entities  will  comply  with 

148 

legitimate  requests  for  PHI  needed  for  the  continuous  improvement  of  health  care. 

VII.  PRIVACY  RULE'S  EFFECT  ON  COST  &  QUALITY  OF  HEALTH  CARE 

There  are  many  aspects  of  the  Privacy  Rule  that  will  affect  the  cost  and  quality  of 
health  care.  This  paper,  because  of  centrality  of  the  two  aspects,  focused  on  the  Consent 
requirement  and  the  Minimum  Necessary  standard.  Therefore,  the  paper  only  purports  to 
analyze  the  effects  that  those  two  aspects  of  the  Privacy  Rule  will  have  on  the  cost  and 
quality  of  health  care. 

A.  Effect  on  the  Cost  of  Health  Care 

The  cost  of  the  entire  Privacy  Rule  was  originally  estimated  by  HHS  to  be 
between  $1.8  and  $3.6  billion.  HHS,  however,  now  estimates  the  cost  of  implementation 


145  Id. 

146  Id. 

147  Sharon  King  Donohue,  supra  note  88,  at  5. 

148  Id. 


44 


to  be  approximately  $17.6  billion  over  ten  years.149  Other  estimates,  outside  HHS, 
estimate  the  cost  to  be  $40  billion  over  five  years.150 

The  cost  of  the  consent  requirement  accounts  for  only  a  small  portion  of  the 
overall  costs  of  the  Privacy  Rule.  HHS  estimates  a  ten  year  cost  of  $227  million;  with 
most  of  that  cost,  $166  million,  being  attributable  to  the  initial  costs  of  the 
requirement.151  This  estimate  may  likewise  be  viewed  by  those  outside  of  HHS  as  being 
optimistically  low.  HHS,  in  creating  its  estimate,  projected  only  a  five  cent  per  document 
cost.  Five  cents  may  cover  the  cost  of  the  paper,  and,  perhaps,  even  the  ink;  but,  it  does 
not  appear  to  take  into  consideration  the  time  associated  costs  of  administering  the 
Consent,  both  professional  and  administrative. 

The  cost  of  the  Minimum  Necessary  standard,  on  the  other  hand,  is  estimated,  by 
HHS,  to  be  the  second  costliest  aspect  of  the  Privacy  Rule.  HHS  projects  the  cost  to  be 
$5.8  billion  over  ten  years152  -  roughly,  one  third  of  the  entire  cost  of  the  Privacy  Rule. 
Other  projections  put  the  cost  at  $19.8  billion  over  five  years.153  In  arriving  at  its 
estimate,  HHS  considered  that  health  care  providers,  hospitals,  and  health  plans  will  need 
to  establish  policies  and  procedures  governing  the  use  and  disclosure  of  PHI,  and  will, 
subsequently,  have  to  adjust  their  practices  to  conform  to  the  new  policies  and 
procedures.154  The  ambiguity  of  the  Minimum  Necessary  standard  may,  likely,  cause  the 
cost  to  be  closer  to  the  near  $20  billion  dollar  projection.  AAPS  flatly  stated  that  it  was 


149  John  F.  (Cahill,  "Implications  of  the  New  Privacy  Standards  for  Healthcare  Institutions."  Healthcare 
Financial  Management,  6.55  (1  Jun  2001),  p.  1. 

150  Id.  at  2. 

151  Final  Rule  Preamble,  Part  IV. 

152  Id. 

153  Henry  R.  Desmarais,  supra  note  107,  at  5. 

154  Final  Rule  Preamble,  Part  IV. 


45 


impossible  to  calculate  the  cost  of  applying  a  standard  that  is  so  "vague  and 
ambiguous."155 

The  costs  associated  with  these  two  aspects  of  the  Privacy  Rule,  as  well  as  the 
Privacy  rule  in  total,  will  initially  be  borne  by  health  care  providers,  hospitals,  and  health 
plans.  However,  the  impact  will  be  on  the  entire  health  care  community,  and  will  finally 
be  borne  by  the  consumers,  through  ever  higher  health  insurance  premiums. 

B.  Effect  on  the  Quality  of  Health  Care 

One  of  the  purposes  of  the  Privacy  Rule,  as  stated  in  the  Preamble,  is  to  improve 
the  quality  of  health  care  by  restoring  trust  in  the  health  care  system.  There  is  a  fine 
balance  when  introducing  new  regulations  into  a  system  between  actually  improving  the 
system  and  causing  harm  to  it.  Secretary  Thompson,  as  noted  in  Section  VI,  recognized 
this  concern  when  he  stated,  "Over-regulation  undermines  quality  of  care  and  health  care 
delivery  by  using  scarce  resources  unproductively."  Both  the  Consent  requirement  and 
the  Minimum  Necessary  standard,  were  introduced  to  improve  the  quality  of  health  care; 
however,  the  implementation  of  each  will,  likely,  have  an  aggregate  negative  impact  on 
quality. 

The  Consent  requirement  was  intended  to  improve  the  quality  of  health  care 
through  informing  patients  of  how  their  PHI  would  be  used  and  disclosed  for  TPO.  Fully 
informing  the  patients,  it  is  believed,  will  secure  their  trust  that  their  PHI  will  be 
protected,  and  at  the  very  least,  ensures  they  know  how  their  PHI  will  be  handled.  As 
discussed  in  Section  II,  trust  is  essential  for  quality  health  care.  The  patient  needs  to  be 
able  to  trust  that  the  health  care  provider  is  going  to  protect  his  PHI;  otherwise,  he  will 


155  Kathryn  Serkes,  supra  note  1 15,  at  4. 


46 


not  share  the  more  intimate  details  that  may  be  necessary  for  effective,  quality 
treatment.156 

While  the  overall  concept  of  the  Consent  requirement  would,  likely,  improve  the 
quality  of  health  care,  the  details  of  the  requirement  would,  likely,  negatively  impact  the 
quality  of  health  care.  In  today's  managed  care  environment,  "office-call"  time  is  already 
at  a  premium.  Adding  the  requirement  of  obtaining  informed  consent  will  further  reduce 
the  time  available  for  treatment.  Requiring  consent  before  treatment  can  be  initiated  will, 
likely,  cause  delay  in  treatment.  The  negative  impact  on  treatment  is  obvious,  but  the 
requirement  also  negatively  effects  quality  by  limiting  information  for  health  care 
operations.  If  an  individual  either  refuses  to  provide  consent  or  later  revokes  consent,  his 
PHI  will  no  longer  be  accessible  for  the  quality  review  aspects  of  health  care  operations. 
That  information  would  not  be  available  for  utilization  review,  quality  assessment 
review,  or  for  disease  management.  This  lack  of  information  will  negatively  impact  the 
quality  of  health  care  because  that  information  cannot  be  used  as  part  of  the  overall 
assessment  for  quality  review.  The  individual's  own  health  care  may  be  at  risk  because 
of  his  lack  of  consent,  as  well.  If  there  is  notification  of  a  medication  problem  that  that 
individual  is  taking,  if  he  does  not  have  a  Consent,  he  may  not  be  able  to  be  notified  in  a 
timely  manner. 

The  Minimum  Necessary  standard  provides,  at  least  in  theory,  added  trust  to 
individuals  that  their  PHI  will  not  be  unnecessarily  used  or  disclosed.  It  also  can  improve 
quality  by  limiting  the  opportunities  for  an  individual’s  medical  records  to  get  lost. 
Limiting  uses  or  disclosures  of  PHI  to  the  minimum  necessary  level  means  that  the  entire 
record  will  not  necessarily  be  continually  used  for  every  purpose;  rather,  only  that  portion 
156  Final  Rule  Preamble,  Part  I,  supra  note  38. 


47 


needed  will  be  used.  Therefore,  when  the  medical  record  is  needed  for  treatment,  it  is 
more  likely,  with  this  standard,  that  the  records  will  be  available.  Having  medical 
records  available  for  treatment  is  essential  for  quality  care,  especially  in  a  case  of 
continuing  treatment. 

The  Minimum  Necessary  standard  may  negatively  impact  quality  by  limiting 
information  for  quality  review  purposes.  Given  the  concerns  over  the  ambiguous  nature 
of  the  standard,  there  may,  likely,  be  cases  where  information  is  withheld  under  the  guise 
of  the  Minimum  Necessary  standard.  This  may,  especially,  be  troubling  if  the  standard  is 
used  to  wrongly  withhold  evidence  of  "bad"  care.  In  such  cases,  the  information  that 
most  needs  review  will  not  be  measured. 

While  both  the  Consent  requirement  and  the  Minimum  Necessary  standard  have 
aspects  that  benefit  the  quality  of  health  care,  both  have  aspects  that  can  be  very 
detrimental  to  the  quality  of  health  care. 

VIII.  PROPOSED  MODIFICATIONS  FROM  HHS 

"Congress  specifically  authorized  HHS  to  make  appropriate  modifications  in  the 
first  year  after  the  final  rule  took  effect  in  order  to  ensure  the  rule  could  be  properly 
implemented  in  the  real  world."157  HHS,  in  fact,  in  the  General  Overview  of  the  Privacy 
Rule  announced  its  intention  to  issue  "proposed  modifications  to  correct  any  unintended 

158 

negative  effects  of  the  Privacy  Rule  on  health  care  quality  or  on  access  to  such  care." 

HHS  provided  examples  of  changes  they  would  likely  make  to  the  Privacy  Rule: 

-  Phoned-in  Prescriptions  -  A  change  will  permit  pharmacists  to  fill 
prescriptions  phoned  in  by  a  patient's  doctor  before  obtaining  the 
patient's  written  consent. 


157  Office  for  Civil  Rights,  OCR  HIPAA  Privacy  TA  164.000.001  General  Overview,  24  Sep  2001 
http://www.hhs.gov/ocr/hipaaygenoverview.html.  p.  4. 

158  Id.  at  3.  ~ *  . 


48 


-  Referral  Appointments  -  A  change  will  permit  direct  treatment 
providers  receiving  a  first  time  patient  referral  to  schedule 
appointments,  surgery,  or  other  procedures  before  obtaining  the 
patient's  signed  consent. 

-  Allowable  Communications  -  A  change  will  increase  the  confidence  of 
covered  entities  that  they  are  free  to  engage  in  whatever 
communications  are  required  for  quick,  effective,  high  quality  health 
care,  including  routine  oral  communications  with  family  members, 
treatment  discussions  with  staff  involved  in  coordination  of  patient 
care,  and  using  patient  names  to  locate  them  in  waiting  areas. 

-  Minimum  Necessary  Scope  -  A  change  will  increase  covered  entities' 
confidence  that  certain  common  practices,  such  as  use  of  sign-up 
sheets  and  X-ray  lightboards,  and  maintenance  of  patient  medical 
charts  at  bedside,  are  not  prohibited  under  the  rule.159 

On  March  27,  2002,  HHS  published,  in  the  Federal  Register,  proposed 
modifications  to  the  Privacy  Rule.  Some  of  the  proposed  modifications  directly  impact 
the  Consent  requirement  and  the  Minimum  Necessary  standard.  HHS  based  its  proposed 
modifications  on  comments  it  received  on  the  Final  Privacy  Rule,  as  well  as  the 
testimony  provided  to  and  recommendations  from  the  Subcommittee.  HHS  noted 
concern  by  the  many  comments  it  received  about  unintended  consequences  of  the 
Consent  requirement  that  impede  the  provision  of  quality  health  care.160 

HHS  proposed  the  following  modification  to  the  Consent  requirement: 

The  Department  proposes  to  make  optional  the  obtaining  of  consent  to 
use  and  disclose  protected  health  information  for  treatment,  payment, 
or  health  care  operations  on  the  part  of  all  covered  entities,  including 
providers  with  direct  treatment  relationships.  Under  this  proposal, 
health  care  providers  with  direct  treatment  relationships  with 
individuals  would  no  longer  be  required  to  obtain  an  individual's 
consent  prior  to  using  and  disclosing  information  about  him  or  her  for 
treatment,  payment,  and  health  care  operations.161 


159  Id.  at  4. 

160  Proposed  Modifications  to  the  Privacy  Rule,  67  Fed.  Reg.  14,780  (Mar.  27  2002). 

161  Id. 


49 


HHS  proposed  a  modification  directly  in  line  with  what  it  proposed  in  the  General 
Overview: 

The  Department  proposes  to  modify  the  Privacy  Rule  to  add  a  new 
provision... which  explicitly  permits  certain  incidental  uses  and 
disclosures  that  occur  as  a  result  of  an  otherwise  permitted  use  or 
disclosure  under  the  Privacy  Rule.  An  incidental  use  or  disclosure 
would  be  a  secondary  use  or  disclosure  that  cannot  reasonably  be 
prevented,  is  limited  in  nature,  and  that  occurs  as  a  by-product  of  an 
otherwise  permitted  use  or  disclosure  under  the  Privacy  Rule.  The 
Department  proposes  that  an  incidental  use  or  disclosure  be 
permissible  only  to  the  extent  that  the  covered  entity  has  applied 
reasonable  safeguards. . . 162 


IX.  RECOMMENDATIONS 

My  recommendations  for  modifications  to  the  Privacy  Rule  pertain  only  to  the 
two  aspects  of  the  Rule  that  I  examined,  the  Consent  requirement  and  the  Minimum 
Necessary  standard.  Four  factors  drive  my  recommendations:  Patient  expectations,  the 
stated  purposes  of  the  Privacy  Rule,  the  concerns  voiced  in  testimony  before  the 
Subcommittee  by  representatives  of  the  health  care  community,  and  the  effects  that  the 
two  aspects  will,  likely,  have  on  the  cost  and  quality  of  health  care. 

A.  Recommendations  for  the  Consent  requirement 

I  recommend  completely  deleting  the  Consent  requirement  from  the  Privacy  Rule. 
I  further  recommend  that  the  definition  of  "health  care  operations"  be  narrowed  to  include 
only  quality  review-related  activities;  thereby  deleting  from  the  definition  activities  such 
as  marketing  and  fundraising,  which  do  nothing  to  further  the  individual's  medical  care. 

My  recommendations  coincide  with  the  reasonable  expectations  of  patients,  as 
mentioned  in  Section  VI.  Patients  seeking  treatment  reasonably  expect  their  PHI  to  be 
used  for  treatment  purposes,  for  payment  purposes,  as  well  as  for  quality  assurance 
162  Id.  at  14,785. 


50 


purposes.  It  is  unnecessary,  therefore,  to  require  Consent  for  TPO,  provided,  however, 
that  the  definition  of  health  care  operations  is  narrowed. 

My  recommendations  also  further  the  three  stated  purposes  of  the  Privacy  Rule, 
as  listed  in  Section  II:  "To  protect  and  enhance  the  rights  of  consumers. .  .To  improve  the 
quality  of  health  care. .  .To  improve  the  efficiency  and  effectiveness  of  health  care. . ." 

To  protect  and  enhance  the  rights  of  consumers.  While  having  the  Consent 
requirement  arguably  serves  to  protect  and  enhance  the  rights  of  consumers,  deleting  it 
does  not  adversely  impact  that  purpose.  Although,  the  individual  will  not  be  signing  a 
consent,  the  Notice  requirement,  which  would  still  be  in  the  Privacy  Rule,  provides  the 
individual  with  all  the  information  regarding  the  uses  and  disclosures  of  his  PHI  for  TPO. 
Additionally,  while  the  Consent  requirement  is  not  "legally"  coercive,  it  is  not  truly 
voluntary.  Therefore,  deleting  it  could  be  seen  as  enhancing  the  rights  of  consumers,  by 
not  putting  them  in  the  situation  where  they  feel  compelled  to  provide  their  consent  in 
order  to  receive  treatment.  My  proposed  narrowing  of  the  definition  of  "health  care 
operations"  adds  even  more  protection  to  the  rights  of  consumers.  Since  the  Consent 
requirement  would  be  deleted,  it  would  be  essential  to  narrow  the  definition  of  "health 
care  operations"  to  ensure  that  an  individual's  PHI  would  not  be  used  for  inappropriate 
uses  or  uses  outside  their  expectations,  such  as  marketing  or  fundraising. 

To  improve  the  quality  of  health  care.  My  recommendations  will  enhance  the 
quality  of  health  care.  As  previously  stated,  trust  between  the  health  care  provider  and 
the  patient  is  essential  for  quality  health  care.  Given  my  recommendations,  that  trust  can 
be  furthered  by  limiting  the  uses  of  PHI  to  that  which  the  patient  already  expects. 

Because  he  will  not  be  concerned  with  other  possible  uses  and  disclosures  of  his  PHI,  he 


51 


will,  likely,  feel  more  comfortable  about  discussing  the  necessary  information  for  him  to 
receive  proper  treatment.  Additionally,  since  the  Consent  requirement  would  be  deleted, 
there  would  be  no  resulting  negative  effects  in  the  ability  to  conduct  quality  reviews  in 
health  care  since  there  would  be  nothing  to  revoke.  Therefore,  covered  entities  can  be 
assured  that  individuals  PHI  will  be  available  for  any  necessary  quality  measurements. 

To  improve  the  efficiency  and  effectiveness  of  healthcare.  The  efficiency  and 
effectiveness  of  health  care  would  be  enhanced  by  the  deletion  of  the  Consent 
requirement.  Under  the  Consent  requirement,  the  Consent  was  needed  before  initiation 
of  TPO.  Therefore,  there  would,  likely,  be  undue  delays  in  TPO  because  of  either 
awaiting  Consent  or  because  the  Consent  had  been  revoked.  Additionally,  obtaining 
Consent  would,  likely,  take  time  away  from  an  already  limited  appointment  time  for 
treatment.  Deleting  the  requirement  would,  therefore,  allow  faster  access  to  treatment , 
as  well  as  more  time  for  treatment;  both  of  which  would  further  the  quality  of  health  care. 

My  recommendations  would  also  alleviate  the  concerns  of  the  health  care 
community,  the  coercive  nature  of  the  Consent  requirement,  the  administrative  burden  of 
the  Consent  requirement,  the  broad  definition  of  health  care  operations,  and  the  effects  of 
revocation  of  consent.  Deleting  the  Consent  requirement  completely  removes  any 
concern  regarding  the  coercive  nature  of  the  requirement,  the  administrative  burden  of 
the  requirement,  and  the  effects  of  revocation.  And,  narrowing  the  definition  of  "health 
care  operations"  directly  answers  the  concern  regarding  its  broad  definition.  My 
recommendations,  additionally,  remove  all  of  the  underlying  concerns  within  each  of  the 
broader  concerns. 


52 


The  coercive  nature  of  the  Consent  requirement.  While  deleting  the  Consent 


requirement  obviously  removes  the  concern  regarding  its  coercive  nature,  it  also  removes 
the  underlying  concerns  voiced  by  the  health  care  community  regarding  the  coercive 
nature  of  the  requirement.  Without  the  competing  issue  of  consent  for  treatment,  health 
care  providers  will  not  be  placed  in  a  possibly  adversarial  position  to  the  patient. 

Deletion  also  alleviates  the  ethical  Catch  22  concern,  where  a  health  care  provider  feels 
that  he  ethically  has  to  provide  treatment  to  the  patient,  but  because  the  patient  did  not 
provide  Consent,  he  cannot  safely  do  so  (since  he  would  have  to  treat  the  patient  without 
the  benefit  of  the  medical  record). 

The  administrative  burden  of  the  Consent  requirement.  Deleting  the  Consent 
requirement  alleviates  the  underlying  concern  of  inconvenience  and  delays  to  patients 
that  would  be  present  under  the  Consent  requirement.  This  is  particularly  important  in 
patients'  interactions  with  pharmacies.  Without  the  requirement,  patients  will  be  able  to 
have  their  prescriptions  filled  over  the  telephone  or  on  the  internet,  without  first  having  to 
physically  go  to  the  pharmacy  to  complete  a  Consent.  Additionally,  patients  will  be  able 
to  have  a  family  member  or  friend  pick  up  their  medications  at  a  pharmacy  for  them. 

The  effects  of  revocation  of  consent.  Deleting  the  Consent  requirement  will 
remove  the  underlying  effects  of  revocation  of  Consent.  Health  care  providers  will  not 
be  faced  with  the  dilemma  of  having  to  terminate  treatment  due  to  revocation. 

Pharmacies  will  not  be  faced  with  the  situation  of  not  being  able  to  warn  patients  of  a 
problem  with  medication.  Pharmacies  will  be  able  to  maintain  all  medication  records, 
without  the  burden  of  having  to  separate  or  destroy  those  for  which  Consent  had  been 
revoked.  With  all  their  records,  pharmacies  will  be  have  the  assurance  that  they  are  able 


53 


to  notify  all  their  patients  who  were  given  a  certain  medication  in  a  situation  where  time 
may  be  of  the  essence.  Quality  assurance  measurements  and  disease  management 
statistics  will  be  more  accurate  and  valuable  because  all  the  records  will  be  subject  to 
review.  Under  the  Consent  requirement,  records  for  which  there  was  a  revocation  of 
Consent  could  not  be  used;  therefore,  the  resultant  statistics  would  be  of  questionable 
value. 

The  broad  definition  of  health  care  operations.  Narrowing  the  definition  to 
include  only  quality  assurance-related  purposes  provides  patients  greater  control  of  their 
PHI.  This  is  especially  important  with  the  deletion  of  the  Consent  requirement.  Patients 
will  be  assured  that  their  PHI  is  only  being  used  for  purposes  for  which  they  reasonably 
expected  it  to  be  used.  While  the  other  activities  currently  covered  in  the  definition  of 
health  care  operations  may  be  useful,  they  are  outside  the  realm  of  what  patients  expect. 
If  patients,  nonetheless,  want  their  PHI  to  be  used  for  those  activities,  they  may  do  so 
with  the  added  protection  of  the  Authorization  that  is  provided  in  the  Privacy  Rule.  The 
Authorization  is  currently  required  for  ancillary  purposes.  Putting  the  activities,  other 
than  those  for  quality  assurance  measurement,  into  the  category  of  ancillary  purposes, 
will  ensure  patients  are  specifically  notified  of  these  other  uses,  and  are  provided  the 
opportunity  to  specifically  authorize  a  given  activity. 

Deleting  the  Consent  requirement  will  have  a  positive  effect  on  the  cost  and 
quality  of  health  care.  While  the  cost  associated  with  the  Consent  was  estimated  by  HHS 
to  be  relatively  low,  it,  quite  clearly,  did  not  include  all  cost  areas,  including  time- 
associated  costs.  Without  the  requirement,  any  costs  that  would  have  been  associated 
with  the  requirement  will  be  saved.  The  greater  impact  of  deleting  the  requirement  will 


54 


be  on  the  effect  of  the  quality  of  health  care.  Many  of  the  above-mentioned  concerns 
centered  on  the  effect  on  quality.  Deleting  the  requirement  eliminates  those  concerns. 
More  time  will  be  available  for  treatment  during  the  office-visits,  and  more  information 
will  be  available  for  the  quality  assurance-related  activities,  both  of  which  will  have  a 
positive  effect  on  the  quality  of  health  care. 

My  recommendation  is  similar  to  that  which  HHS  recently  published.  We  both 
recommend  removing  the  mandatory  Consent  requirement  for  TPO.  However,  HHS  does 
not  propose  narrowing  the  definition  of  health  care  operations.  As  I  mentioned  above, 
the  broad  definition  is  troubling  as  it  is  in  the  existing  Final  Privacy  Rule.  But,  leaving 
the  definition  as  is,  while  removing  the  Consent  requirement  would  have  detrimental 
effects.  An  existing  concern  is  that  patients  may  feel  "coerced"  into  providing  Consent 
for  uses  and  disclosures  that  do  not  further  the  individual's  health  care,  such  as 
fundraising  and  marketing.  By  deleting  the  Consent  requirement  and  leaving  the 
definition  as  it  is,  the  "coercive  nature"  of  the  Consent  is  alleviated.  However,  in  its 
wake  is  a  much  more  serious  problem.  Under  that  situation,  the  patient  either  may  not  be 
apprised  of  all  the  uses  and  disclosures  of  his  PHI,  or  may  not  have  any  control  over 
those  uses,  even  if  they  were  made  known.  Under  my  recommendation,  the  patient  will 
be  fully  notified  of  all  uses  and  disclosures  of  his  PHI,  which  will  be  in  line  with  what 
would  reasonably  be  expected.  Additionally,  the  patient  would  be  informed  of  other  uses 
or  disclosures  of  his  PHI,  outside  of  TPO,  which  he  could  Authorize  is  he  so  wanted. 

B.  Recommendations  for  the  Minimum  Necessary  standard 

I  recommend  modifying  the  Minimum  Necessary  standard,  making  it  not  apply 
for  all  treatment  purposes.  I  would  leave  the  standard  in  place,  however,  for  payment  and 


55 


health  care  operations.  Additionally,  I  would  place  sole  responsibility  for  establishing 
what  is  minimally  necessary  on  the  requesting  party. 

These  recommendations  align  with  patient  expectations  that  their  PHI  will  be 
used  for  TPO,  while  ensuring  efficient,  high-quality  medical  care  and  protecting  PHI 
from  overexposure.  While  patients  may  reasonably  expect  that  their  complete  medical 
records  need  to  be  readily  available  for  medical  treatment,  they  may  not  reasonably 
expect  the  same  for  payment  or  health  care  purposes.  Medical  care  is  expected  to  be 
provided  in  a  timely  manner  and  is,  thus,  viewed  as  being  time  sensitive.  Payment  and 
health  care  operations,  while  arguably  time  sensitive,  do  not  hold  the  import  of  medical 
care.  Additionally,  while  an  entire  medical  record  may,  likely,  be  needed  for  treatment,  it 
would  not  typically  be  needed  for  payment  and  health  care  operations.  Rather, 
information,  pertaining  to  a  specific  visit  or  ailment,  would,  likely,  be  needed  for  those 
purposes. 

My  recommendations  also  further  the  stated  purposes  of  the  Privacy  Rule: 

To  protect  and  enhance  the  rights  of  consumers.  Allowing  the  complete  medical 
record  to  be  available  for  all  treatment  purposes,  while  limiting  access  for  payment  and 
health  care  operations,  certainly  protects  and  enhances  the  rights  of  consumers.  Ensuring 
a  patient's  medical  records  are  available  for  all  treatment  purposes,  will  allow  for 
efficient,  quality  care.  The  medical  records  will  not  be  subject  to  "subjective"  standards 
regarding  what  may  be  needed  for  a  given  office  visit  or  ailment.  Rather,  the  entire 
medical  record  will  be  available  to  the  health  care  provider,  who  may  use  it,  in  toto,  to 
provide  complete  medical  care.  Limiting  access  to  the  PHI  for  payment  and  health  care 
operations  protects  patients  rights  because  it  will  control  the  unnecessary  or  inappropriate 


56 


use  of  that  information.  Additionally,  limiting  access  to  uses  outside  the  treatment  realm 
increases  the  likelihood  that  the  entire  medical  record  will  be  available  for  medical 
treatment  when  it  is  needed. 

To  improve  the  quality  of  health  care.  Having  the  entire  medical  record  available 
for  all  medical  care  is  essential  for  quality  care.  Having  the  Minimum  Necessary 
standard  not  apply  to  treatment  will  greatly  increase  the  availability  of  the  entire  record 
for  treatment  purposes.  Quality  care  is  also  effected,  however,  by  measurement  activities 
which  are  part  of  health  care  operations.  While  the  Minimum  Necessary  standard  would 
still  apply  to  health  care  operations,  my  recommendation  to  shift  sole  responsibility  for 
determining  what  is  minimally  necessary  on  the  requester  will  also  enhance  quality  care. 
The  individuals  or  organizations  who  would  be  performing  the  quality  assessments  are  in 
a  better  position  to  know  what  "type"  of  information  is  needed  in  order  to  perform  their 
assessments.  Giving  them  sole  responsibility,  and  alleviating  the  responsibility  on  the 
provider  of  the  information,  should  enhance  quality  be  ensuring  that  they  have  the 
information  to  measure  it,  and  thus  make  recommendations  for  improvements. 

To  improve  the  efficiency  and  effectiveness  of  health  care.  My  recommendations 
will  increase  the  efficiency  and  effectiveness  of  health  care  over  what  the  Privacy  Rule 
provides.  Having  the  standard  not  apply  for  treatment  purposes,  should  provide  for  faster 
and  complete  access  to  PHI.  Since  each  record  will  not  have  to  be  reviewed,  segregated, 
and  sorted  out,  the  records  should  be  available  for  treatment  without  delay.  Additionally, 
since  the  entire  record  will  be  available,  and  not  sorted  by  what  has  been  "subjectively" 
determined  to  be  minimally  necessary,  the  effectiveness  of  treatment  should  be  enhanced. 
Health  care  providers  with  the  entire  medical  record,  will  have  access  to  the  patient's 


57 


entire  medical  history  which  may,  in  some  way,  effect  the  patient's  current  ailment  and 
treatment. 

My  recommendations  answer  the  concerns  voiced  by  the  health  care  community: 
vagueness  and  ambiguity  of  the  Minimum  Necessary  standard;  misplaced  discretion  may 
limit  usefulness  of  information;  the  Minimum  Necessary  standard  may  be  used  to  shield 
information;  the  administrative  burden  of  the  Minimum  Necessary  standard;  and  the 
prejudicial  nature  of  partial  information. 

My  recommendation  to  shift  sole  responsibility  for  determining  what  is  minimally 
necessary  for  a  given  purpose  on  the  requestor  alleviates  most  of  these  concerns.  HHS 
has,  quite  clearly,  stated  that  it  intends  for  covered  entities  to  use  their  professional 
judgment  on  what  is  minimally  necessary.  From  this,  it  can  be  reasonably  assumed,  that 
it  places  confidence  in  covered  entities,  and  will,  thus,  not  place  unreasonable 
expectations  for  compliance.  Because  of  this,  the  concerns  regarding  the  vagueness  and 
ambiguity  of  the  standard,  the  misplacement  of  the  discretion,  and  the  shielding  of 
information  should  be  answered.  The  requestor,  who  needs  the  information,  no  longer 
need  worry  that  the  entity  supplying  the  information  will  use  its  "subjective"  standard  for 
determining  what  is  minimally  necessary.  Rather,  the  requester  has  sole  discretion,  and 
the  supplier  of  the  information  must  rely  on  the  request.  Not  only  would  the  supplier  no 
longer  have  discretion,  it,  also,  would  no  longer  be  subject  to  enforcement  action 
regarding  the  Minimum  Necessary  standard.  Therefore,  the  supplier  of  the  information 
would  have  no  reason  to  provide  limited  information  for  fear  of  enforcement  action,  nor 
would  it  have  any  ability  to  shield  information  that  it  did  not  want  known  for  quality 
purposes. 


58 


Having  the  Minimum  Necessary  standard  not  apply  for  treatment  purposes  should 
greatly  reduce  the  administrative  burden  of  the  standard,  as  well  as  reduce  the  concern 
about  the  prejudicial  nature  of  partial  information.  My  recommendation  should  greatly 
reduce  the  administrative  burden  since  no  medical  record  would  have  to  be  reviewed 
prior  to  any  treatment.  Even  though  the  standard  would  still  apply  for  payment  and 
health  care  purposes,  the  administrative  burden  should  be  lessened  there  as  well.  Entities 
needing  information  for  payment  and  health  care  purposes  should  be  in  a  better  position 
than  entities  needing  information  for  treatment  purposes  to  use  "routine  request" 
formulae,  rather  than  rely  on  case-by-case  analysis.  Using  "routine  request"  formulae 
will  be  less  burdensome  for  both  the  requestor  and  the  supplier  of  PHI.  The  requestor 
will  not  have  to  make  a  case-by-case  determination,  and  the  supplier  of  the  PHI  will 
know  what  is  routinely  needed,  and  will  be  able  to  systematically  separate  the  PHI  for 
those  purposes,  rather  than  have  to  separate  information  on  a  case-by-case  basis. 

My  recommendations  should  have  a  great  impact  on  the  cost  and  quality  of  health 
care.  The  Minimum  Necessary  standard  is,  currently,  the  second  most  expensive  aspect 
of  the  Privacy  Rule,  estimated  at  $5.8  billion  over  ten  years.  By  making  the  standard  not 
apply  to  all  treatment  purposes,  the  cost  should  be  greatly  reduced.  Quality  of  health  care 
should  be  enhanced  since  the  entire  medical  record  should  be  available  for  all  treatment 
purposes.  Placing  sole  discretion  on  the  requestor  for  determining  what  is  minimally 
necessary  should  ensure  that  the  needed  information  will  be  available  for  the  necessary 
quality  assessment  reviews.  Strengthening  the  quality  assessment  review  process, 
should,  thus,  directly  impact  the  future  quality  of  health  care. 


59 


My  recommendations  also  remove  the  inconsistency  inherent  in  the  Final  Privacy 
Rule.  In  the  Final  Privacy  Rule,  the  standard  does  not  apply  to  "external"  requests  for 
treatment  purposes.  Therefore,  the  only  treatment  purposes  the  standard  applies  to  are 
ones  internal  to  the  entity.  It  seems  logical  that  an  entity  would  have  greater  knowledge 
and  trust  in  its  internal  matters  than  it  would  have  in  other  entities'  matters.  Placing  the 
burden  on  internal  uses,  while  having  none  for  external  uses,  runs  directly  against 
common  sense.  My  recommendation  provides  consistency  for  all  treatment  purposes  by 
allowing  the  entire  medical  record  to  be  available  for  any  and  all  treatment  purposes. 

While  HHS's  proposed  recommendation  for  the  Minimum  Necessary  standard, 
allowing  for  incidental  uses  and  disclosures  of  PHI,  is  an  improvement  over  the  current 
standard,  it  does  not  adequately  respond  to  the  concerns  voiced  by  the  health  care 
industry.  My  recommendations,  not  only  answer  the  concerns  of  the  health  care  industry, 
they  align  with  patient  expectations,  further  the  purposes  of  the  Privacy  Rule,  and  will 
have  a  positive  effect  on  the  cost  and  quality  of  health  care. 

X.  CONCLUSION 

The  intentions  behind  the  establishment  of  the  Privacy  Rule,  as  evidenced  in  the 
Rule's  stated  purposes  of  enhancing  consumer  rights,  and  improving  the  quality  and 
efficiency  of  health  care  are  laudable.  And  the  Privacy  Rule,  in  its  present  form  does 
much  to  meet  the  intentions.  However,  certain  aspects  of  the  Privacy  Rule  may  do  more 
to  hinder  consumer  rights  and  the  quality  of  health  care,  than  they  do  to  improve  them. 
HHS  stated  they  were  open  to  modifications  to  improve  the  Privacy  Rule,  and,  in  fact, 
have  made  some.  Their  recent  modifications,  while  an  improvement,  do  not  quiet  the 
concerns  of  the  health  care  community. 


60 


My  recommendations  to  the  Privacy  Rule  strengthen  the  rule  by  addressing  two 
key  aspects  of  the  Rule,  the  Consent  requirement  and  the  Minimum  Necessary  standard. 
My  recommendations  not  only  strengthen  the  Privacy  Rule  and  alleviate  the  concerns  of 
the  health  care  industry,  they  also  will  have  a  positive  impact  on  the  cost  and  quality  of 
health  care. 


61 


BIBLIOGRAPHY 


Black's  Law  Dictionary  (5th  ed.  1979). 

Blevins,  Sue  A.  Testimony.  National  Committee  on  Vital  and  Health  Statistics 

Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  21  August 
2001.  24  Sep.  2001  http ://www.ncvhs.hhs. gov/0 1 082 1 p4.htm. 

Blevins,  Sue,  and  Robin  Kaigh.  "The  Final  Federal  Medical  Privacy  Rule:  Myths  and 
Facts."  Institute  for  Health  Freedom  8  Feb.  2001.  25  Oct.  2001 
http://www.forhealthfreedom.org/Publications/Privacy/MedPrivFacts.html. 

Boswell,  Donna  A.  "Hearings  on  Research  Implications  of  Final  Medical  Privacy 

Regulation."  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee 
on  Privacy  and  Confidentiality.  Washington  D.C.  22  Aug.  2001.  24  Sep.  2001 
http://www.ncvhs.hhs.gov/010822p9.htm. 

Cahill,  John  F.  "Implications  of  the  New  Privacy  Standards  for  Healthcare  Institutions." 
Healthcare  Financial  Management.  6.55  (1  Jun.  2001):  12-17. 

Christiansen,  John,  and  Stoel  Rives,  LLP.  Preliminary  Analysis  of  HIPAA  Privacy 
Regulations:  Information  Privacy  and  processes.  2  Jan.  2001. 

Curran,  William  J.,  Mark  A.  Hall,  Mary  Anne  Bobinski,  and  David  Orentlicher.  Health 
Care  Law  and  Ethics,  5th  Edition,  Aspen  Law  &  Business,  1998. 

Darrah,  Jacqueline  M.,  MA,  JD.  "Consent  Issues  in  Implementation  of  the  'Standards  for 
Privacy  of  Individually  Identifiable  Information'."  National  Committee  on  Vital 
and  Health  Statistics,  Subcommittee  on  Privacy  and  Confidentiality.  Washington 
D.C.  21  Aug.  2001.  24  Sep.  2001  http://www.ncvhs.hhs.gov/010821p6.htm. 


62 


Department  of  Health  and  Human  Services,  Office  of  the  Secretary.  "Final  Privacy  Rule 
—  Regulation  Text."  24  Sep.  2001  http://www.hhs.gov/ocr/regtext.html. 

Department  of  Health  and  Human  Services,  Office  of  the  Secretary.  "Final  Privacy  Rule 
Preamble."  28  Fed.  Reg.  250.  27  Oct.  2001 
http :// aspe.hhs.gov/  admnsimp/fmal/PvcPreO  1  .htm. 

Desmarais,  Henry  R.,  MD,  MPA.  "The  'Minimum  Necessary'  Standard  under  the  HIPAA 
Privacy  Regulation."  National  Committee  on  Vital  and  Health  Statistics, 
Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  22  Aug  2001. 

24  Sep  2001  http://www.ncvhs.hhs.gov/010822pl.htm. 

Donohue,  Sharon  King.  Testimony.  National  Committee  on  Vital  and  Health  Statistics 
Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  21  Aug.  2001. 
24  Sep.  2001  http ://www.ncvhs.hhs.gov/0 1 082 lp2.htm. 

Duncan,  George  T.,  Thomas  B.  Jabine,  and  Virginia  A.  de  Wolfe.  Private  Lives  and 
Public  Policies:  Confidentiality  and  Accessibility  of  Government  Statistics. 
(Washington,  DC:  National  Academy  Press,  1993). 

First  Consulting  Group.  Report  on  the  Impacts  of  the  HIPAA  Final  Privacy  Rule  on 
Hospitals.  (March  2001). 

Final  Privacy  Rule  Preamble,  I-IV.  27  Nov  2001 

http://aspe.hhs.gov/admnsimp/final/PvcPre01.htm. 

Final  Privacy  Rule,  Regulation  Text,  §§160,  164.  24  Sep.  2001 
http://www.hhs.gov/ocr/regtext.html. 

Fody,  Kenneth  W.  "The  'Minimum  Necessary'  Use  and  Disclosure  of  Protected  Health 
Information."  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee 


63 


on  Privacy  and  Confidentiality.  Washington  D.C.  22  Aug  2001.  24  Sep.  2001 
http://www.ncvhs.hhs.gov/010822p3.htm. 

Friedrich,  M.  J.  "Health  Care  Practitioners  and  Organizations  Prepare  for  Approaching 
HIPAA  Deadlines  (Health  Insurance  Portability  and  Accountability  Act)." 
JAMA.  286.13  (3  Oct.  2001).  24  Oct.  2001  http://www.lawschool.westlaw.com. 

Gemignani,  Janet.  "Are  You  Ready  to  Build  HIPAA's  Great  Wall  of  Privacy?  Health 
Insurance  Portability  and  Accountability  Act  of  1996."  Business  &  Health.  8.19 
(1  Sep.  2001).  30-36. 

Healthcare  Leadership  Council.  Letter  to  Secretary  Tommy  G.  Thompson,  U.S. 
Department  of  Health  and  Human  Services.  8  Feb.  2002.  23  Feb.  2002 
http://www.hlc.org/html/2-08-02specgrpconst.html. 

Henderson,  Mary.  Testimony.  National  Committee  on  Vital  and  Health  Statistics. 
Washington  D.C.  21  Aug.  2001.  24  Sep.  2001 
http://www.ncvhs.hhs.gov/010821pl.htm. 

HIPAAdvisory.  "Consents  and  Authorizations  Explored".  4  Jan.  2002 

http://www.hipaadvisorv.com/action/advisor/HIPAAdvisorl2.htm. 

HIPAAdvisory.  "Myths  and  Facts  about  the  HIPAA  Privacy  Regulation".  22  March 
2001.  29  Sep.  2001  http://www.hipaadvisory.com/views/Patient/myths.htm. 

HIPAAdvisory.  "When  Does  "Minimum  Necessary"  Apply?".  4  Jan.  2002 
http://www.hipaadvisory.com/action/advisor/HIPAAdvisorl8.htm. 

HEPAAntidote.  Frequently  Asked  Questions  about  HIPAA.  31  Aug.  2001 
http://www.hipaantidote.com/faq.asp. 

Hurley  v.  Eddingfield,  59  N.E.  1058  (Ind.  1901). 


64 


Johnston,  Mary  Beth.  "HIPAA  Becomes  Reality:  Compliance  with  New  Privacy, 
Security,  and  Electronic  Transmission  Standards."  103  W.  Va.  L.  Rev.  541 
(Summer  2001). 

Kelly,  Bruce.  Testimony.  National  Committee  on  Vital  and  Health  Statistics. 
Washington  D.C.  21  Aug.  2001.  24  September  2001 
http://www.ncvhs.hhs.gov/010821p3.htm. 

Kulynych,  Jenifer,  J.D.,  Ph.D.  "Standards  for  Privacy  of  Identifiable  Health  Information: 
Final  Rule."  National  Committee  on  Vital  and  Health  Statistics,  Subcommittee  on 
Privacy  and  Confidentiality.  Washington  D.C.  22  Aug.  2001.  24  Sep.  2001 
http://www.ncvhs.hhs.gov/010822p8.htm. 

Marz,  Jon  F.,  Pamela  Sanka,  and  Simon  S.  Yoo.  "Hospital  Consent  for  Disclosures  of 
Medical  Records",  26  J.L.M.  &  Ethics,  no.  3,  (1988).  241-248 

The  National  Association  of  Chain  Drug  Stores  (NACDS).  "Written  Responses  to 
Hearing  Questions."  National  Committee  on  Vital  and  Health  Statistics, 
Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  22  Aug.  2001. 
24  Sep.  2001  http://www.ncvhs.hhs.gov/010822p2.htm. 

Office  for  Civil  Rights.  Standards  for  Privacy  of  Individually  Identifiable  Health 

Information.  4  Sep.  2001  http://aspe.os.dhhs.gov/admnsimp.final/pvcguidel.htm. 

Office  for  Civil  Rights,  OCR  HIPAA  Privacy  TA  164.000.001  General  Overview.  24 
Sep.  2001  http ://www.hhs. go v/ocr/hipaa/geno verview.html 

Proposed  Modifications  to  the  Privacy  Rule,  67  Fed.  Reg.  14,780  (Mar.  27  2002). 


65 


Pellow,  Wendy.  Testimony.  National  Committee  on  Vital  and  Health  Statistics, 

Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  23  Aug.  2001. 
24  Sep.  2001  http://www.ncvhs.hhs.gov/010823p2.htm. 

Proposed  Modifications  to  the  Privacy  Rule.  67  Fed.  Reg.  14,780  (Mar.  27  2002). 
Serkes,  Kathryn.  Testimony.  National  Committee  on  Vital  and  Health  Statistics, 

Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  22  Aug.  2001. 
24  Sep.  2001  http://www.ncvhs.hhs.gov/010822p5.htm. 

Szabo,  Joan.  "Guidance  issued  on  HIPAA  Privacy  Rule."  Medical  Laboratory 
Observer.  9.33  (1  Sep.  2001).  68-70. 

U.S.  Department  of  Health  and  Human  Services.  "Protecting  the  Privacy  Of  Patients' 
Health  Information."  HHS  Fact  Sheet  6  July  2001.  4  Sep  2001 
http://www.hhs.gov/news/press/2001pres/01fsprivacy.html. 

Villagra,  Victor.  Testimony.  National  Committee  on  Vital  and  Health  Statistics, 

Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  23  Aug.  2001. 
24  Sep.  2001  http ://www.ncvhs.hhs. gov/0 1 0823p  1  .htm. 

Wachler,  Andrew  B.,  and  Phyllis  A.  Avery.  "Complex  Privacy  Regulations  Have  Far 
Reaching  Impact."  13  No.  3  Health  Law.  1  (April,  2001). 

Weich,  Ronald.  "Significance  of  the  'Minimum  Necessary'  Standard."  National 
Committee  on  Vital  and  Health  Statistics,  Subcommittee  on  Privacy  and 
Confidentiality.  Washington  D.C.  22  Aug  2001.  24  Sep.  2001 
http  ://www.ncvhs.hhs.  gov/0 1 0822p4.htm. 


66 


Winckler,  Sucan  C.,  RPh,  JD.  Testimony.  National  Committee  on  Vital  and  Health 
Statistics,  Subcommittee  on  Privacy  and  Confidentiality.  Washington  D.C.  21 
Aug  2001.  24  Sep.  2001  http://www.ncvhs.hhs.gov/010821p5.htm 


67 


